DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-XQ8G-HGH6-87HV: GHSA-xq8g-hgh6-87hv: Missing Rate Limiting in OpenClaw BlueBubbles Webhook Enables Brute-Force Attacks

#security #cve #cybersecurity #ghsa

GHSA-xq8g-hgh6-87hv: Missing Rate Limiting in OpenClaw BlueBubbles Webhook Enables Brute-Force Attacks

Vulnerability ID: GHSA-XQ8G-HGH6-87HV
CVSS Score: 5.3
Published: 2026-03-27

The OpenClaw package before version 2026.3.25 fails to restrict the rate of incoming authentication attempts on its BlueBubbles webhook endpoint. This lack of rate limiting allows unauthenticated remote attackers to perform high-speed brute-force attacks against the webhook password, potentially resulting in unauthorized message processing and data access.

TL;DR

OpenClaw versions up to 2026.3.24 lack rate limiting on the BlueBubbles webhook endpoint. Attackers can brute-force the webhook authentication password to gain unauthorized access. Upgrading to version 2026.3.25 resolves the issue by implementing a fixed-window rate limiter.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-307
  • Attack Vector: Network
  • Authentication Required: None
  • Impact: Unauthorized Access
  • Exploit Status: Proof of Concept
  • Patched Version: 2026.3.25

Affected Systems

  • openclaw npm package (<= 2026.3.24)
  • openclaw: <= 2026.3.24 (Fixed in: 2026.3.25)

Code Analysis

Commit: 5e08ce3

Implemented fixed window rate limiter for webhook auth to prevent brute force attacks.

Exploit Details

  • OpenClaw Test Suite: Integration test monitor.webhook-auth.test.ts simulating 130 authentication requests to validate rate limits.

Mitigation Strategies

  • Upgrade the openclaw package to version 2026.3.25 or later.
  • Enforce strong, high-entropy passwords for webhook authentication to mathematically defeat brute-force attempts.
  • Configure trusted proxies in the gateway settings to ensure accurate client IP resolution for rate limiting.

Remediation Steps:

  1. Update dependencies in package.json to require openclaw ^2026.3.25.
  2. Run 'npm install' or 'yarn install' to apply the updated package.
  3. Review network architecture to identify upstream reverse proxies or load balancers.
  4. Update OpenClaw configuration to explicitly define upstream proxy IP ranges in the 'trustedProxies' setting.
  5. Restart the OpenClaw service to ensure configuration changes and updated code take effect.

References

Read the full report for GHSA-XQ8G-HGH6-87HV on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)