DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-5847-RM3G-23MW: GHSA-5847-RM3G-23MW: Authentication Rate Limit Bypass via IPv6-Mapped Address

#security #cve #cybersecurity #ghsa

GHSA-5847-RM3G-23MW: Authentication Rate Limit Bypass via IPv6-Mapped Address

Vulnerability ID: GHSA-5847-RM3G-23MW
CVSS Score: 7.5
Published: 2026-03-03

A security vulnerability exists in the OpenClaw AI agent framework's hook authentication mechanism. The flaw permits attackers to bypass configured rate limits by exploiting inconsistent string representations of client IP addresses. By alternating between standard IPv4 notation and IPv4-mapped IPv6 notation, a single attacker can manipulate the rate limiter into allocating multiple attempt buckets for the same source, significantly weakening protection against brute-force credential attacks.

TL;DR

Attackers can bypass authentication rate limits by switching between IPv4 (1.2.3.4) and IPv4-mapped IPv6 (::ffff:1.2.3.4) addresses, effectively doubling their allowed brute-force attempts per IP.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-307
  • Vulnerability Type: Rate Limit Bypass
  • Attack Vector: Network
  • Severity: Medium/High
  • Platform: Node.js
  • Status: Patched

Affected Systems

  • OpenClaw
  • OpenClaw: < Feb 22 2026 (Fixed in: commit 3284d2eb)

Code Analysis

Commit: 3284d2e

Fix rate limit bypass by normalizing IPv4-mapped IPv6 addresses

function normalizeRateLimitClientIp(ip: string | undefined): string {
  return resolveClientIp({ remoteAddr: ip }) ?? "unknown";
}
Enter fullscreen mode Exit fullscreen mode

Exploit Details

  • GitHub: Regression tests included in the fix commit demonstrate the bypass mechanism.

Mitigation Strategies

  • Update OpenClaw to the latest version immediately.
  • Implement IP normalization at the load balancer level if immediate patching is not possible.
  • Restrict access to hook endpoints to trusted networks only.

Remediation Steps:

  1. Identify the running version of OpenClaw.
  2. Pull the latest changes from the official repository or upgrade to a release post-dating February 22, 2026.
  3. Verify the fix by running the regression tests included in the patch (checking ::ffff: handling).
  4. Restart the OpenClaw service to apply the changes.

References

Read the full report for GHSA-5847-RM3G-23MW on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)