Описание
OpenClaw: BlueBubbles Webhook Missing Rate Limiting Enables Brute-Force Password Guessing
Summary
BlueBubbles Webhook Missing Guess Rate Limiting Enables Brute-Force Guessing of Weak Webhook Password
Affected Packages / Versions
- Package:
openclaw - Affected versions:
<= 2026.3.24 - First patched version:
2026.3.25 - Latest published npm version at verification time:
2026.3.24
Details
BlueBubbles webhook auth previously rejected wrong passwords without throttling repeated guesses, allowing brute-force attempts against weak webhook passwords. Commit 5e08ce36d522a1c96df2bfe88e39303ae2643d92 adds repeated-guess throttling before auth failure responses.
Verified vulnerable on tag v2026.3.24 and fixed on main by commit 5e08ce36d522a1c96df2bfe88e39303ae2643d92.
Fix Commit(s)
5e08ce36d522a1c96df2bfe88e39303ae2643d92
Пакеты
Наименование
openclaw
npm
Затронутые версииВерсия исправления
<= 2026.3.24
Отсутствует
Дефекты
CWE-307
CWE-521
Дефекты
CWE-307
CWE-521