Summary
Fake DeviceToken Bypasses Shared Auth Rate Limiting
Current Maintainer Triage
- Status: narrow
- Normalized severity: low
- Assessment: Real in shipped mixed WS auth flow, but practical risk is mostly weak shared-password deployments since strong shared tokens remain non-bruteforceable.
Affected Packages / Versions
- Package:
openclaw (npm)
- Latest published npm version:
2026.3.31
- Vulnerable version range:
<=2026.3.28
- Patched versions:
>= 2026.3.31
- First stable tag containing the fix:
v2026.3.31
Fix Commit(s)
af0c0862f22ca4492406a3103d05e3628f94cbe9 — 2026-03-31T09:08:57+09:00
Release Process Note
- The fix is already present in released version
2026.3.31.
OpenClaw thanks @kexinoh of Tencent zhuque Lab (https://github.com/Tencent/AI-Infra-Guard) for reporting.
References
Summary
Fake DeviceToken Bypasses Shared Auth Rate Limiting
Current Maintainer Triage
Affected Packages / Versions
openclaw(npm)2026.3.31<=2026.3.28>= 2026.3.31v2026.3.31Fix Commit(s)
af0c0862f22ca4492406a3103d05e3628f94cbe9— 2026-03-31T09:08:57+09:00Release Process Note
2026.3.31.OpenClaw thanks @kexinoh of Tencent zhuque Lab (https://github.com/Tencent/AI-Infra-Guard) for reporting.
References