CVE-2026-41913
Received Received - Intake
Race Condition in OpenClaw Authentication Bypasses Rate Limiting

Publication date: 2026-04-28

Last updated on: 2026-04-30

Assigner: VulnCheck

Description
OpenClaw before 2026.4.4 contains a race condition vulnerability in shared-secret authentication that allows concurrent asynchronous requests to bypass the per-key rate-limit budget. Attackers can exploit this by sending multiple simultaneous authentication attempts to circumvent intended rate-limiting protections on Tailscale-capable paths.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-28
Last Modified
2026-04-30
Generated
2026-06-16
AI Q&A
2026-04-28
EPSS Evaluated
2026-06-15
NVD
CVE-2026-41913
EUVD
EUVD-2026-26119
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
openclaw openclaw to 2026.4.4 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-362 The product contains a concurrent code sequence that requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence operating concurrently.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-41913 is a race condition vulnerability in OpenClaw versions before 2026.4.4 that affects the shared-secret authentication mechanism.

This flaw allows attackers to send multiple concurrent asynchronous authentication requests that bypass the intended per-key rate-limit budget on Tailscale-capable paths.

Because of this race condition, the rate-limiting protections designed to limit authentication attempts can be circumvented, enabling attackers to exceed allowed authentication attempts.

Impact Analysis

This vulnerability can allow attackers to bypass rate-limiting controls on authentication attempts, potentially leading to abuse of authentication resources.

By circumventing the per-key rate-limit, attackers might perform a higher number of authentication attempts than intended, which could increase the risk of unauthorized access attempts or denial of service on authentication mechanisms.

However, the vulnerability does not impact confidentiality, integrity, availability, or scope according to the CVSS v4 vector.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade OpenClaw to version 2026.4.4 or later, where the race condition issue in shared-secret authentication has been fixed.

This update resolves the concurrency issue that allowed attackers to bypass the per-key rate-limit by sending multiple simultaneous authentication attempts.

Compliance Impact

The provided information does not specify any direct impact of CVE-2026-41913 on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-41913. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart