OpenClaw (Tailscale path), Concurrent async auth race condition, CVE-2026-32041 (Low severity)

Listen to this Post

The vulnerability arises from how OpenClaw’s Gateway handles concurrent asynchronous shared‑secret authentication attempts on routes that are Tailscale‑capable. On the async Tailscale Serve Control UI path, when multiple authentication requests for the same {scope, ip} arrive simultaneously, they are serialized before the failed‑auth rate limiter records a failure. This means that the first request is processed, fails, and is recorded against the rate‑limit budget. However, the second concurrent request, which also fails, can be processed before the rate limiter’s state has been updated. As a result, the second request may not be counted against the budget, allowing an attacker to bypass the intended per‑key rate‑limit. By sending a high volume of parallel authentication attempts, an attacker can effectively guess shared secrets at a rate higher than the intended limit, increasing the risk of a successful brute‑force attack. The issue is scoped to the OpenClaw trust model and does not assume a multi‑tenant service boundary. The flaw was fixed by serializing failed attempts before they are recorded, ensuring that each attempt is properly counted.

dailycve form:

Platform: OpenClaw Gateway
Version: <=2026.4.2
Vulnerability: Race condition
Severity: Low
date: 2026-04-09

Prediction: 2026-04-11

What Undercode Say:

Analytics:

The vulnerability is a classic TOCTOU (Time‑of‑Check, Time‑of‑Use) race condition in the authentication rate‑limiting logic. Below are relevant bash commands and code snippets that illustrate the problem and the fix.

Simulate concurrent auth attempts using curl
for i in {1..10}; do
curl -X POST https://your-openclaw-gateway/auth \
-H "Authorization: Bearer guess" \
--async &
done
// Original vulnerable code (pseudo)
if (!isRateLimited(scope, ip)) {
if (!authenticate(request)) {
recordFailedAttempt(scope, ip);
return 401;
}
}
// Fixed code
if (!isRateLimited(scope, ip)) {
// Serialize access to the rate limiter
await rateLimiterMutex.acquire();
try {
if (!authenticate(request)) {
recordFailedAttempt(scope, ip);
return 401;
}
} finally {
rateLimiterMutex.release();
}
}

Exploit:

An attacker can send multiple asynchronous authentication requests with different guessed secrets. Because the rate limiter’s state is not updated before the second request is processed, the attacker can exhaust the rate‑limit budget more quickly than intended, potentially guessing the correct secret.

Protection from this CVE:

  • Upgrade to OpenClaw version 2026.4.4 or later.
  • Enforce strong, high‑entropy shared secrets that are resistant to brute‑force attacks.
  • Deploy OpenClaw only within trusted networks (e.g., Tailscale) and avoid exposing the gateway to the public internet.
  • Enable additional authentication layers, such as client certificates or multi‑factor authentication.

Impact:

An attacker who can reach the Tailscale‑capable authentication endpoint can bypass the per‑key rate‑limit budget, allowing them to perform brute‑force attacks on shared secrets at a higher rate than intended. Successful exploitation could lead to unauthorized access to the OpenClaw Gateway and its associated resources.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top