PT-2026-30784 — Improper Restriction of Excessive Authentication Attempts in Npm Openclaw

PT-2026-30784 · Npm · Openclaw

Published

2026-03-27

Updated

2026-03-27

CVSS v3.1

4.8

Medium

Vector

AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

Summary

BlueBubbles Webhook Missing Guess Rate Limiting Enables Brute-Force Guessing of Weak Webhook Password

Affected Packages / Versions

Package: openclaw
Affected versions: <= 2026.3.24
First patched version: 2026.3.25
Latest published npm version at verification time: 2026.3.24

Details

BlueBubbles webhook auth previously rejected wrong passwords without throttling repeated guesses, allowing brute-force attempts against weak webhook passwords. Commit 5e08ce36d522a1c96df2bfe88e39303ae2643d92 adds repeated-guess throttling before auth failure responses.

Verified vulnerable on tag v2026.3.24 and fixed on main by commit 5e08ce36d522a1c96df2bfe88e39303ae2643d92.

Fix Commit(s)

5e08ce36d522a1c96df2bfe88e39303ae2643d92

Fix

Improper Restriction of Excessive Authentication Attempts

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-521CWE-307

Related Identifiers

GHSA-XQ8G-HGH6-87HV

Affected Products

Openclaw