Summary

The OpenClaw gateway does not enable authentication rate limiting by default. The rate limiter is only created when explicitly configured in the configuration file (gateway.auth.rateLimit). This leaves the authentication endpoints vulnerable to brute-force attacks.

Executive Risk Snapshot

• CVSS v3.1: 8.8 (High)
• CVSS v4.0: 8.7 (High)
• Primary risk: The OpenClaw gateway does not enable authentication rate limiting by default.

Technical Analysis

Root cause: insufficient control in the documented code path allows unsafe behavior under attacker-influenced conditions.

Reachability: Start OpenClaw gateway without explicit rate limit configuration
Code path: File: src/gateway/server.impl.ts:301-305
Observed effect: The OpenClaw gateway does not enable authentication rate limiting by default. The rate limiter is only created when explicitly configured in the configuration file (gateway.auth.rateLimit). This leaves the authentication endpoints vulnerable to brute-force attacks.

Affected Code

File: src/gateway/server.impl.ts:301-305

// Create auth rate limiter only when explicitly configured.
const rateLimitConfig = cfgAtStart.gateway?.auth?.rateLimit;
const authRateLimiter: AuthRateLimiter | undefined = rateLimitConfig
  ? createAuthRateLimiter(rateLimitConfig)
  : undefined;

Without configuration, authRateLimiter is undefined, meaning no rate limiting is applied to authentication attempts.

Steps to Reproduce

1. Start OpenClaw gateway without explicit rate limit configuration
2. Attempt multiple authentication attempts (WebSocket connections or HTTP auth)
3. Observe no rate limiting is applied - all attempts are processed

Recommended Fix

Enable rate limiting by default or make it mandatory:

Detailed Risk Analysis

CVSS Assessment

Attack Surface

Reachable by any client that can reach the gateway authentication interfaces (HTTP auth endpoints and authenticated WebSocket flows). The OpenClaw gateway does not enable authentication rate limiting by default unless gateway.auth.rateLimit is explicitly configured. Exploitation requires no prior privileges.

Exploit Conditions

Exploitation complexity is low: an attacker can automate repeated credential guesses without bypassing any additional controls in the default configuration. No user interaction is required. Prerequisites are simply network reachability to the gateway and a deployment where auth rate limiting is left at its default (disabled) state.

Impact Assessment

Confidentiality impact is high due to increased probability of credential stuffing/account takeover and unauthorized data access after successful brute force. Integrity impact is high because compromised accounts can issue privileged operations through the gateway. Availability impact is high because unlimited auth attempts can also be used to degrade service through sustained authentication load.

References

• CWE: CWE-307 Improper Restriction of Excessive Authentication Attempts
• OWASP: Authentication Cheat Sheet - Rate Limiting

Exploitability Proof

Source→sink path:

1. Attacker scripts multiple authentication attempts to gateway
2. Each attempt is processed without rate limiting
3. No limit on failed attempts within any time window
4. Attacker can brute-force passwords/tokens at full speed
5. Successful authentication grants access to all gateway functionality

Mitigation Checks Performed

• Checked for reverse proxy rate limiting (nginx, CloudFlare): NOT FOUND
• Checked for default rate limit values: NOT FOUND - undefined when not configured
• Checked for infrastructure config: NOT FOUND

Reproduction Evidence

Code at server.impl.ts:304 shows: rateLimitConfig ? createAuthRateLimiter(rateLimitConfig) : undefined
This ternary means if no config is provided, rate limiting is completely disabled.

Why This Is Exploitable (Not Hardening)

This is a real exploitable vulnerability:

• No configuration required to leave auth endpoints unprotected
• Attackers can make unlimited authentication attempts
• Brute-force attacks become trivial without rate limiting
• Default-unsafe configuration violates security best practices