AI Sec Watch: A Security Intelligence Platform for AI Systems

Luu, T.J.

GHSA-5847-rm3g-23mw: OpenClaw has hook auth rate limiter bypass via IPv4-mapped IPv6 client key variants

mediumvulnerability

security

Source: GitHub Advisory DatabaseMarch 2, 2026

Summary

OpenClaw had a security flaw in its hook authentication rate limiter (the system that limits how many times someone can try to log in) where IPv4 addresses and IPv4-mapped IPv6 addresses (the newer internet protocol format that can represent older addresses like ::ffff:1.2.3.4) of the same client were counted separately, allowing attackers to double their brute-force attempts from 20 to 40 per minute by using both address forms.

Solution / Mitigation

The fix involves centralizing and reusing a single canonical client-IP normalization system for auth rate-limiting and using that standardized IP format as the key for hook auth throttling. This issue is patched in version 2026.2.22 of the openclaw npm package (fix commit 3284d2eb227e7b6536d543bcf5c3e320bc9d13c5).

Classification

Attack SophisticationTrivial

Affected Packages

openclaw@< 2026.2.22 (fixed: 2026.2.22)

Original source: https://github.com/advisories/GHSA-5847-rm3g-23mw

First tracked: March 2, 2026 at 11:00 PM

Classified by LLM (prompt v3) · confidence: 95%