GHSA-6rmx-gvvg-vh6j: OpenClaw's hooks count non-POST requests toward auth lockout

March 9, 2026

OpenClaw’s hooks HTTP handler counted hook authentication failures before rejecting unsupported HTTP methods. An unauthenticated client could send repeated non-POST requests (for example GET) with an invalid token to consume the hook auth failure budget and trigger the temporary lockout window for that client key.

The fix moves the hook method gate ahead of auth-failure accounting so unsupported methods return 405 Method Not Allowed without incrementing the hook auth limiter.

References

github.com/advisories/GHSA-6rmx-gvvg-vh6j
github.com/openclaw/openclaw
github.com/openclaw/openclaw/commit/44820dceadac65ac7c0ce8fc0ffba8c2bd9fae89
github.com/openclaw/openclaw/releases/tag/v2026.3.7
github.com/openclaw/openclaw/security/advisories/GHSA-6rmx-gvvg-vh6j

Code Behaviors & Features

Detect and mitigate GHSA-6rmx-gvvg-vh6j with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →