PT-2026-31365 — Improper Restriction of Excessive Authentication Attempts in Npm Openclaw

PT-2026-31365 · Npm · Openclaw

Published

2026-03-29

Updated

2026-03-29

CVSS v4.0

6.3

Medium

Vector

AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Summary

Synology Chat Webhook Pre-Auth Rate-Limit Bypass Enables Brute-Force Guessing of Weak Webhook Token

Affected Packages / Versions

Package: openclaw
Affected versions: <= 2026.3.24
First patched version: 2026.3.25
Latest published npm version at verification time: 2026.3.24

Details

Synology Chat webhook auth previously rejected invalid tokens without throttling repeated guesses, allowing brute-force attempts against weak webhook secrets. Commit 0b4d07337467f4d40a0cc1ced83d45ceaec0863c adds repeated-guess throttling before auth failure responses.

Verified vulnerable on tag v2026.3.24 and fixed on main by commit 0b4d07337467f4d40a0cc1ced83d45ceaec0863c.

Fix Commit(s)

0b4d07337467f4d40a0cc1ced83d45ceaec0863c

Fix

Improper Restriction of Excessive Authentication Attempts

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-521CWE-307

Related Identifiers

GHSA-MF5G-6R6F-GHHM

Affected Products

Openclaw