OpenClaw Race Condition Vulnerability in Shared-Secret Authentication Allowing Rate-Limit Bypass
Vulnerability
A race condition vulnerability has been identified in OpenClaw versions prior to 2026.4.4. This vulnerability occurs in the shared-secret authentication process, where concurrent asynchronous requests can bypass the per-key rate-limit budget. Attackers can exploit this by sending multiple simultaneous authentication attempts, effectively circumventing the intended rate-limiting protections on Tailscale-capable paths.
Impact
Exploitation of this vulnerability allows concurrent asynchronous authentication attempts to bypass the intended rate-limit budget, potentially leading to abuse of authentication processes on Tailscale-capable paths.
Reproduction
The vulnerability can be reproduced by sending multiple simultaneous authentication requests over shared-secret authentication. This can be done by initiating concurrent asynchronous requests that target the authentication process, effectively racing against the per-key rate-limit budget. The bypassed rate-limiting can then be observed by the increased number of successful authentication attempts compared to the expected rate-limited outcome.
Remediation
Users can upgrade to OpenClaw version 2026.4.4 or later, where this vulnerability has been patched.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.