CVE-2026-62220 in OpenClaw
Summary
by MITRE • 07/17/2026
OpenClaw 2026.2.25 before 2026.5.26 allow a lower-trust caller or configured input path to bypass non-browser rate limits on WebSocket authentication attempts. When the affected feature is enabled and reachable by lower-trust input, this can consume gateway resources and reduce service availability.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 07/17/2026
The vulnerability in OpenClaw 2026.2.25 before 2026.5.26 represents a significant security weakness that undermines the system's rate limiting mechanisms specifically for WebSocket authentication attempts. This flaw allows malicious actors or unauthorized users with lower trust levels to circumvent the intended rate limits that typically protect against excessive authentication requests. The vulnerability manifests when the affected WebSocket authentication feature is enabled and accessible through input paths that are configured to accept lower-trust callers, creating an attack surface where resource exhaustion can occur without proper access controls.
The technical implementation of this vulnerability stems from inadequate validation of caller trust levels within the WebSocket authentication pathway. When a lower-trust caller attempts to establish WebSocket connections for authentication purposes, the system fails to properly enforce rate limiting restrictions that should normally apply to such requests. This misconfiguration allows attackers to flood the gateway with authentication attempts at rates that would typically be restricted, effectively bypassing the intended protective measures designed to prevent abuse and ensure service availability.
The operational impact of this vulnerability extends beyond simple denial-of-service conditions to include substantial resource consumption on the gateway infrastructure. Attackers can leverage this weakness to consume excessive CPU cycles, memory resources, and network bandwidth through repeated WebSocket authentication attempts without proper rate limiting enforcement. This resource exhaustion directly impacts service availability and can potentially affect legitimate users who rely on the WebSocket authentication services for normal operations. The vulnerability creates a scenario where malicious actors can degrade system performance or even cause complete service outages through sustained exploitation of the bypassed rate limits.
From a security framework perspective, this vulnerability aligns with CWE-307 - "Improper Restriction of Excessive Authentication Attempts" and represents a failure in access control enforcement mechanisms. The issue also maps to ATT&CK technique T1190 - "Exploit Public-Facing Application" as it allows exploitation of publicly accessible WebSocket endpoints. The vulnerability demonstrates poor principle of least privilege implementation where lower-trust callers should not be granted the same rate limiting exemptions as higher-trust authenticated users.
Mitigation strategies should focus on implementing proper caller trust level validation before applying rate limiting rules, ensuring that all WebSocket authentication attempts are properly authenticated and that lower-trust callers cannot bypass the established rate limiting controls. System administrators should configure input path restrictions to prevent unauthorized access to WebSocket authentication endpoints and implement robust logging to detect unusual authentication patterns that may indicate exploitation attempts. Additionally, organizations should consider implementing more granular rate limiting policies that differentiate between various caller trust levels and ensure that all authentication pathways properly enforce resource usage constraints regardless of the caller's trust designation.