GHSA-5847-rm3g-23mw: OpenClaw has hook auth rate limiter bypass via IPv4-mapped IPv6 client key variants

March 3, 2026

An attacker could split failed hook-auth attempts across both address forms and effectively double the brute-force budget from 20 to 40 attempts per 60-second window.

References

github.com/advisories/GHSA-5847-rm3g-23mw
github.com/openclaw/openclaw
github.com/openclaw/openclaw/commit/3284d2eb227e7b6536d543bcf5c3e320bc9d13c5
github.com/openclaw/openclaw/security/advisories/GHSA-5847-rm3g-23mw

Code Behaviors & Features

Detect and mitigate GHSA-5847-rm3g-23mw with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →