← back
CVE-2026-41333

OpenClaw < 2026.3.31 - Authentication Rate Limiting Bypass via Fake DeviceToken

CVSS 6.3 MEDIUMEPSS 0.4%CWE-799
OpenClaw before 2026.3.31 contains an authentication rate limiting bypass vulnerability that allows attackers to circumvent shared authentication protections using fake device tokens. Attackers can exploit the mixed WebSocket authentication flow to bypass rate limiting controls and conduct brute force attacks against weak shared passwords.
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
Affected products
OpenClaw · OpenClaw

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://github.com/openclaw/openclaw/commit/af0c0862f22ca4492406a3103d05e3628f94cbe9https://github.com/openclaw/openclaw/security/advisories/GHSA-6p8r-6m93-557fhttps://www.vulncheck.com/advisories/openclaw-authentication-rate-limiting-bypass-via-fake-devicetoken