AI Threat Alert AI Threat Alert

GHSA-25wv-8phj-8p7r: OpenClaw: auth rate-limit bypass via async race condition

GHSA-25wv-8phj-8p7r LOW
Published April 9, 2026
CISO Take

OpenClaw, a local AI agent with Tailscale networking integration, contains a race condition that allows concurrent async authentication requests to exhaust the shared-secret rate-limit budget, potentially enabling brute-force attacks against the authentication mechanism. While severity is rated low and the trust model is explicitly scoped to single-user local deployments, the package carries a history of 60 prior CVEs — a meaningful signal of systemic security debt that warrants elevated scrutiny even for low-severity findings. With no public exploit, no CISA KEV designation, and no EPSS data available, active in-the-wild exploitation appears unlikely at this time. Organizations deploying OpenClaw should upgrade to version 2026.4.4 immediately; if patching is delayed, restrict Tailscale ACLs to limit which nodes can reach the instance and rotate shared secrets after patching.

Sources: GitHub Advisory ATLAS CISA KEV

Risk Assessment

Risk is LOW overall given the local deployment model and single-user trust boundary. The race condition is real but requires an attacker to already have Tailscale network access — a significant prerequisite that substantially constrains the attack surface. The 60 prior CVEs in this package represents systemic security debt warranting long-term scrutiny beyond this individual finding. No public exploit code exists and exploitation requires non-trivial concurrency engineering knowledge.

Affected Systems

Package Ecosystem Vulnerable Range Patched
openclaw npm < 2026.4.4 2026.4.4

Do you use openclaw? You're affected.

Severity & Risk

CVSS 3.1
N/A
EPSS
N/A
Exploitation Status
No known exploitation
Sophistication
Moderate

Recommended Action

  1. Upgrade openclaw (npm) to version 2026.4.4 or later immediately — patch is available and the fix has been regression-tested.
  2. If patching is delayed, restrict Tailscale ACLs to limit which tailnet nodes can reach the OpenClaw instance.
  3. Rotate shared secrets after patching to invalidate any potentially compromised credentials.
  4. Monitor for anomalous auth attempt patterns (high-frequency concurrent requests) in OpenClaw logs as a detection indicator.
  5. Given 60 CVEs in this package, perform a broader security review and assess whether OpenClaw meets organizational risk tolerance for AI agent tooling.

Classification

Auth Bypass DoS Agent AML.T0012 AML.T0034.000 AML.T0112.000

Compliance Impact

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, Robustness and Cybersecurity
ISO 42001
A.6.1.4 - AI System Access Control
NIST AI RMF
MANAGE-2.2 - Risk Treatment — Vulnerability Remediation
OWASP LLM Top 10
LLM10:2025 - Unbounded Consumption

Related AI Incidents (1)

Malicious OpenClaw Skills Reportedly Delivered AMOS Stealer and Exfiltrated Credentials via ClawHub
Feb 2026 Unknown threat actors distributing malicious OpenClaw skills, Unknown threat actors, Unknown malicious actors medium confidence

AIID #1368 documents credential exfiltration via malicious OpenClaw skills in the same package ecosystem. An auth rate-limit bypass enabling shared-secret brute-force represents a plausible initial access vector that could directly precede the unauthorized skill execution and credential theft failure mode described in that incident.

AIID #1368

Source: AI Incident Database (AIID)

Frequently Asked Questions

What is GHSA-25wv-8phj-8p7r?

OpenClaw, a local AI agent with Tailscale networking integration, contains a race condition that allows concurrent async authentication requests to exhaust the shared-secret rate-limit budget, potentially enabling brute-force attacks against the authentication mechanism. While severity is rated low and the trust model is explicitly scoped to single-user local deployments, the package carries a history of 60 prior CVEs — a meaningful signal of systemic security debt that warrants elevated scrutiny even for low-severity findings. With no public exploit, no CISA KEV designation, and no EPSS data available, active in-the-wild exploitation appears unlikely at this time. Organizations deploying OpenClaw should upgrade to version 2026.4.4 immediately; if patching is delayed, restrict Tailscale ACLs to limit which nodes can reach the instance and rotate shared secrets after patching.

Is GHSA-25wv-8phj-8p7r actively exploited?

No confirmed active exploitation of GHSA-25wv-8phj-8p7r has been reported, but organizations should still patch proactively.

How to fix GHSA-25wv-8phj-8p7r?

1. Upgrade openclaw (npm) to version 2026.4.4 or later immediately — patch is available and the fix has been regression-tested. 2. If patching is delayed, restrict Tailscale ACLs to limit which tailnet nodes can reach the OpenClaw instance. 3. Rotate shared secrets after patching to invalidate any potentially compromised credentials. 4. Monitor for anomalous auth attempt patterns (high-frequency concurrent requests) in OpenClaw logs as a detection indicator. 5. Given 60 CVEs in this package, perform a broader security review and assess whether OpenClaw meets organizational risk tolerance for AI agent tooling.

What systems are affected by GHSA-25wv-8phj-8p7r?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, local AI deployments.

What is the CVSS score for GHSA-25wv-8phj-8p7r?

No CVSS score has been assigned yet.

Technical Details

NVD Description

## Impact Concurrent async auth attempts can bypass the intended shared-secret rate-limit budget on Tailscale-capable paths. Concurrent asynchronous shared-secret auth attempts could race the per-key rate-limit budget. OpenClaw is a user-controlled local assistant. This advisory is scoped to the OpenClaw trust model and does not assume a multi-tenant service boundary. ## Affected Packages / Versions - Package: `openclaw` (npm) - Affected versions: `<=2026.4.2` - Patched versions: `2026.4.4` ## Fix The issue was fixed on `main` and is available in the patched npm version listed above. The verified fixed tree is commit `d7c3210cd6f5fdfdc1beff4c9541673e814354d5`. ## Verification The fix was re-checked against `main` before publication, including targeted regression tests for the affected security boundary. ## Credits Thanks @Telecaster2147 for reporting.

Exploitation Scenario

An adversary who has established Tailscale network access — via a compromised endpoint on the same tailnet or a rogue insider — targets an unpatched OpenClaw instance. They fire hundreds of concurrent async authentication requests simultaneously against the shared-secret auth endpoint. Because the rate-limiter's budget is tracked in a shared state without proper concurrency locks, the parallel requests race past the throttle threshold, effectively granting unlimited authentication attempts. The attacker systematically brute-forces the shared secret, gains authenticated access to the local AI agent, and proceeds to invoke agent tools, read local files exposed through the agent's capabilities, or inject malicious skill configurations analogous to the credential theft pattern documented in AIID #1368.

Weaknesses (CWE)

CWE-400 Uncontrolled Resource Consumption Primary

References

Timeline

Published
April 9, 2026
Last Modified
April 9, 2026
First Seen
April 9, 2026

Related Vulnerabilities

CRITICAL CVE-2026-30741 9.8

OpenClaw: RCE via request-side prompt injection

Same package: openclaw
CRITICAL CVE-2026-28451 9.3

OpenClaw: SSRF via Feishu extension exposes internal services

Same package: openclaw
HIGH GHSA-m3mh-3mpg-37hw 8.6

OpenClaw: .npmrc hijack enables RCE on plugin install

Same package: openclaw
HIGH CVE-2026-27001 7.8

OpenClaw: prompt injection via unsanitized workspace path

Same package: openclaw
HIGH GHSA-hr5v-j9h9-xjhg 7.7

OpenClaw: sandbox escape via mediaUrl path traversal

Same package: openclaw
Back to Threat Feed