Listen to this Post
The vulnerability exists in OpenClaw’s HTTP hook handler, which manages incoming webhook requests at the `/hooks/` endpoint. The handler incorrectly counts authentication failures before validating the HTTP method of the request. When an unauthenticated client sends a non-POST request such as GET, HEAD, or PUT with an invalid authentication token, the system increments the hook authentication failure counter for that client key. This counter is part of a rate-limiting mechanism designed to prevent brute-force attacks by temporarily locking out clients after too many failed attempts. An attacker can exploit this logic flaw by sending a rapid sequence of non-POST requests with invalid tokens, each consuming one unit of the auth failure budget. Once the budget is exhausted, the system triggers a temporary lockout window for that specific client key, blocking all further requests including legitimate webhook deliveries. The impact is amplified in shared network environments where multiple users collapse to the same client key, such as behind proxies or NAT gateways. A single attacker sharing that infrastructure can lock out all legitimate traffic. The fix implemented in commit `44820dceadac65ac7c0ce8fc0ffba8c2bd9fae89` reorders the request handling logic: the method gate now runs before authentication failure accounting. Unsupported HTTP methods immediately return `405 Method Not Allowed` without touching the auth failure counter, preserving the lockout budget for legitimate POST requests.
Platform: openclaw npm
Version: <=2026.3.2
Vulnerability : Auth Lockout
Severity: Medium
date: 2026-03-08
Prediction: 2026-03-15
What Undercode Say:
Analytics
- Package: `openclaw` on npm
- Total Downloads: ~2.5 million monthly downloads
- Affected Version Range: All versions up to 2026.3.2 inclusive
- Fix Commit: `44820dceadac65ac7c0ce8fc0ffba8c2bd9fae89`
– Patched Version: `2026.3.7`
– Reported By: @JNX03
Bash Commands & Code Analysis
Check installed OpenClaw version npm list openclaw Update to patched version npm install [email protected] Verify the fix commit in local installation npm view [email protected] dist.tarball | xargs curl -s | tar -tz | grep -i hook Test if your instance is vulnerable (run against YOUR OWN instance) curl -X GET http://localhost:18789/hooks/test-hook \ -H "Authorization: Bearer invalid-token" Monitor auth failure logs for lockout events tail -f ~/.openclaw/logs/gateway.log | grep -E "auth failure|lockout|rate limit" Simulate the attack pattern (educational purposes only) for i in {1..100}; do curl -X GET http://localhost:18789/hooks/test-hook \ -H "Authorization: Bearer invalid-token-$i" \ -s -o /dev/null -w "%{http_code}\n" done
How Exploit
An attacker on the same network segment sends rapid non-POST requests with invalid tokens to a `/hooks/` endpoint, exhausting the auth failure budget for that client key and triggering temporary lockout of legitimate webhook deliveries sharing that key.
Protection from this CVE
- Immediate update to OpenClaw `2026.3.7` or later
- If unable to patch immediately, implement reverse proxy rate-limiting for `/hooks/` endpoints to cap request rates per source IP
- Monitor authentication failure logs for anomalous spikes from single client keys
- Deploy Web Application Firewall (WAF) rules to block non-POST requests to hook endpoints before they reach OpenClaw
Impact
- Availability: Temporary denial of service for hook-triggered automation and wake functionality
- Attack Vector: Network-based, unauthenticated, requires ability to reach `/hooks/` endpoints
- Scope: Limited to availability loss; no data breach or code execution
- Affected Users: Users in shared network environments (proxies, NAT) most at risk
- Business Impact: Missed automated tasks, delayed wake events, interrupted integrations
References
- Fix Commit: `44820dceadac65ac7c0ce8fc0ffba8c2bd9fae89`
– Patched npm Package: `[email protected]`
– Reported by: @JNX03
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

