PT-2026-31365 · Npm · Openclaw
Publicado
2026-03-29
·
Atualizado
2026-03-29
CVSS v4.0
6.3
Média
| Vetor | AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Summary
Synology Chat Webhook Pre-Auth Rate-Limit Bypass Enables Brute-Force Guessing of Weak Webhook Token
Affected Packages / Versions
- Package:
openclaw - Affected versions:
<= 2026.3.24 - First patched version:
2026.3.25 - Latest published npm version at verification time:
2026.3.24
Details
Synology Chat webhook auth previously rejected invalid tokens without throttling repeated guesses, allowing brute-force attempts against weak webhook secrets. Commit
0b4d07337467f4d40a0cc1ced83d45ceaec0863c adds repeated-guess throttling before auth failure responses.Verified vulnerable on tag
v2026.3.24 and fixed on main by commit 0b4d07337467f4d40a0cc1ced83d45ceaec0863c.Fix Commit(s)
0b4d07337467f4d40a0cc1ced83d45ceaec0863c
Correção
Improper Restriction of Excessive Authentication Attempts
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Identificadores relacionados
Produtos afetados
Openclaw