Main Vulnerability Database Vulnerabilities #VU125254

Improper access control in OpenClaw - #VU125254

Published: April 8, 2026

Vulnerability identifier: #VU125254

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: N/A

CWE-ID: CWE-284

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: OpenClaw

Affected software:
OpenClaw

Detailed vulnerability description

The vulnerability allows a remote attacker to bypass shared authentication rate limiting.

The vulnerability exists due to improper access control in the mixed WebSocket authentication flow when handling a fake DeviceToken. A remote attacker can supply a fake DeviceToken to bypass shared authentication rate limiting.

The practical risk is primarily limited to deployments that rely on weak shared passwords.

Remediation

Install security update from vendor's website.

Sources

https://github.com/openclaw/openclaw/security/advisories/GHSA-6p8r-6m93-557f

Improper access control in OpenClaw - #VU125254

Detailed vulnerability description

Remediation

Sources

Please verify you're human