AI Sec Watch: A Security Intelligence Platform for AI Systems

Luu, T.J.

GHSA-6p8r-6m93-557f: OpenClaw: Fake DeviceToken Bypasses Shared Auth Rate Limiting

mediumvulnerability

security

Source: GitHub Advisory DatabaseApril 2, 2026

Summary

OpenClaw versions up to 2026.3.28 have a vulnerability where attackers can create fake DeviceTokens (authentication identifiers) to bypass rate limiting (restrictions on how many login attempts are allowed), making brute force attacks possible on weak shared passwords. The vulnerability is most dangerous in systems using shared authentication (where multiple users have the same password) rather than strong token-based security.

Solution / Mitigation

Update OpenClaw to version 2026.3.31 or later. The fix is included in the released version 2026.3.31, with the patching commit af0c0862f22ca4492406a3103d05e3628f94cbe9 dated 2026-03-31.

Classification

Attack SophisticationModerate

Affected Packages

openclaw@<= 2026.3.28 (fixed: 2026.3.31)

Monthly digest — independent AI security research

Original source: https://github.com/advisories/GHSA-6p8r-6m93-557f

First tracked: April 3, 2026 at 02:00 AM

Classified by LLM (prompt v3) · confidence: 85%