GHSA-25wv-8phj-8p7r: OpenClaw: auth rate-limit bypass via async race condition
GHSA-25wv-8phj-8p7r LOWOpenClaw, a local AI agent with Tailscale networking integration, contains a race condition that allows concurrent async authentication requests to exhaust the shared-secret rate-limit budget, potentially enabling brute-force attacks against the authentication mechanism. While severity is rated low and the trust model is explicitly scoped to single-user local deployments, the package carries a history of 60 prior CVEs — a meaningful signal of systemic security debt that warrants elevated scrutiny even for low-severity findings. With no public exploit, no CISA KEV designation, and no EPSS data available, active in-the-wild exploitation appears unlikely at this time. Organizations deploying OpenClaw should upgrade to version 2026.4.4 immediately; if patching is delayed, restrict Tailscale ACLs to limit which nodes can reach the instance and rotate shared secrets after patching.
What is the risk?
Risk is LOW overall given the local deployment model and single-user trust boundary. The race condition is real but requires an attacker to already have Tailscale network access — a significant prerequisite that substantially constrains the attack surface. The 60 prior CVEs in this package represents systemic security debt warranting long-term scrutiny beyond this individual finding. No public exploit code exists and exploitation requires non-trivial concurrency engineering knowledge.
What systems are affected?
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| OpenClaw | npm | < 2026.4.4 | 2026.4.4 |
Do you use OpenClaw? You're affected.
How severe is it?
What should I do?
5 steps-
Upgrade openclaw (npm) to version 2026.4.4 or later immediately — patch is available and the fix has been regression-tested.
-
If patching is delayed, restrict Tailscale ACLs to limit which tailnet nodes can reach the OpenClaw instance.
-
Rotate shared secrets after patching to invalidate any potentially compromised credentials.
-
Monitor for anomalous auth attempt patterns (high-frequency concurrent requests) in OpenClaw logs as a detection indicator.
-
Given 60 CVEs in this package, perform a broader security review and assess whether OpenClaw meets organizational risk tolerance for AI agent tooling.
How is it classified?
Which compliance frameworks are affected?
This CVE is relevant to:
Frequently Asked Questions
What is GHSA-25wv-8phj-8p7r?
OpenClaw, a local AI agent with Tailscale networking integration, contains a race condition that allows concurrent async authentication requests to exhaust the shared-secret rate-limit budget, potentially enabling brute-force attacks against the authentication mechanism. While severity is rated low and the trust model is explicitly scoped to single-user local deployments, the package carries a history of 60 prior CVEs — a meaningful signal of systemic security debt that warrants elevated scrutiny even for low-severity findings. With no public exploit, no CISA KEV designation, and no EPSS data available, active in-the-wild exploitation appears unlikely at this time. Organizations deploying OpenClaw should upgrade to version 2026.4.4 immediately; if patching is delayed, restrict Tailscale ACLs to limit which nodes can reach the instance and rotate shared secrets after patching.
Is GHSA-25wv-8phj-8p7r actively exploited?
No confirmed active exploitation of GHSA-25wv-8phj-8p7r has been reported, but organizations should still patch proactively.
How to fix GHSA-25wv-8phj-8p7r?
1. Upgrade openclaw (npm) to version 2026.4.4 or later immediately — patch is available and the fix has been regression-tested. 2. If patching is delayed, restrict Tailscale ACLs to limit which tailnet nodes can reach the OpenClaw instance. 3. Rotate shared secrets after patching to invalidate any potentially compromised credentials. 4. Monitor for anomalous auth attempt patterns (high-frequency concurrent requests) in OpenClaw logs as a detection indicator. 5. Given 60 CVEs in this package, perform a broader security review and assess whether OpenClaw meets organizational risk tolerance for AI agent tooling.
What systems are affected by GHSA-25wv-8phj-8p7r?
This vulnerability affects the following AI/ML architecture patterns: agent frameworks, local AI deployments.
What is the CVSS score for GHSA-25wv-8phj-8p7r?
No CVSS score has been assigned yet.
What is the AI security impact?
Affected AI Architectures
MITRE ATLAS Techniques
AML.T0012 Valid Accounts AML.T0034.000 Excessive Queries AML.T0112.000 Local AI Agent Compliance Controls Affected
What are the technical details?
Original Advisory
## Impact Concurrent async auth attempts can bypass the intended shared-secret rate-limit budget on Tailscale-capable paths. Concurrent asynchronous shared-secret auth attempts could race the per-key rate-limit budget. OpenClaw is a user-controlled local assistant. This advisory is scoped to the OpenClaw trust model and does not assume a multi-tenant service boundary. ## Affected Packages / Versions - Package: `openclaw` (npm) - Affected versions: `<=2026.4.2` - Patched versions: `2026.4.4` ## Fix The issue was fixed on `main` and is available in the patched npm version listed above. The verified fixed tree is commit `d7c3210cd6f5fdfdc1beff4c9541673e814354d5`. ## Verification The fix was re-checked against `main` before publication, including targeted regression tests for the affected security boundary. ## Credits Thanks @Telecaster2147 for reporting.
Exploitation Scenario
An adversary who has established Tailscale network access — via a compromised endpoint on the same tailnet or a rogue insider — targets an unpatched OpenClaw instance. They fire hundreds of concurrent async authentication requests simultaneously against the shared-secret auth endpoint. Because the rate-limiter's budget is tracked in a shared state without proper concurrency locks, the parallel requests race past the throttle threshold, effectively granting unlimited authentication attempts. The attacker systematically brute-forces the shared secret, gains authenticated access to the local AI agent, and proceeds to invoke agent tools, read local files exposed through the agent's capabilities, or inject malicious skill configurations analogous to the credential theft pattern documented in AIID #1368.
Weaknesses (CWE)
CWE-400 — Uncontrolled Resource Consumption: The product does not properly control the allocation and maintenance of a limited resource.
- [Architecture and Design] Design throttling mechanisms into the system architecture. The best protection is to limit the amount of resources that an unauthorized user can cause to be expended. A strong authentication and access control model will help prevent such attacks from occurring in the first place. The login application should be protected against DoS attacks as much as possible. Limiting the database access, perhaps by caching result sets, can help minimize the resources expended. To further limit the potential for a DoS attack, consider tracking the rate of requests received from users and blocking requests that exceed a defined rate threshold.
- [Architecture and Design] Mitigation of resource exhaustion attacks requires that the target system either: The first of these solutions is an issue in itself though, since it may allow attackers to prevent the use of the system by a particular valid user. If the attacker impersonates the valid user, they may be able to prevent the user from accessing the server in question. The second solution is simply difficult to effectively institute -- and even when properly done, it does not provide a full solution. It simply makes the attack require more resources on the part of the attacker. recognizes the attack and denies that user further access for a given amount of time, or uniformly throttles all requests in order to make it more difficult to consume resources more quickly than they can again be freed.
Source: MITRE CWE corpus.
References
Timeline
Related Vulnerabilities
CVE-2026-33579 9.9 OpenClaw: scope bypass escalates low-priv to admin
Same package: openclaw CVE-2026-32922 9.9 OpenClaw: privilege escalation to RCE via token scope bypass
Same package: openclaw CVE-2026-32038 9.8 OpenClaw: sandbox bypass enables container lateral movement
Same package: openclaw CVE-2026-53838 9.8 OpenClaw: approval scope bypass via reconnection state
Same package: openclaw CVE-2026-30741 9.8 OpenClaw: RCE via request-side prompt injection
Same package: openclaw