Common Weakness Enumeration

CWE-799

Allowed-with-Review

Improper Control of Interaction Frequency

Abstraction: Class · Status: Incomplete

The product does not properly limit the number or frequency of interactions that it has with an actor, such as the number of incoming requests.

108 vulnerabilities reference this CWE, most recent first.

GHSA-RFH8-HGH4-42Q6

Vulnerability from github – Published: 2024-06-14 00:33 – Updated: 2024-06-14 00:33
VLAI
Details

NVIDIA vGPU software for Linux contains a vulnerability in the Virtual GPU Manager, where an untrusted guest VM can cause improper control of the interaction frequency in the host. A successful exploit of this vulnerability might lead to denial of service.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-0094"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-799"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-06-13T22:15:13Z",
    "severity": "MODERATE"
  },
  "details": "NVIDIA vGPU software for Linux contains a vulnerability in the Virtual GPU Manager, where an untrusted guest VM can cause improper control of the interaction frequency in the host. A successful exploit of this vulnerability might lead to denial of service.",
  "id": "GHSA-rfh8-hgh4-42q6",
  "modified": "2024-06-14T00:33:07Z",
  "published": "2024-06-14T00:33:06Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0094"
    },
    {
      "type": "WEB",
      "url": "https://nvidia.custhelp.com/app/answers/detail/a_id/5551"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-RJ42-V997-M6XJ

Vulnerability from github – Published: 2026-03-26 15:30 – Updated: 2026-03-26 15:30
VLAI
Details

HCL Aftermarket DPC is affected by Spamming Vulnerability which can allow the actor to excessive spamming can consume server bandwidth and processing resources which may lead to Denial of Service.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-55268"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-799"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-03-26T13:16:26Z",
    "severity": "MODERATE"
  },
  "details": "HCL Aftermarket DPC is affected by Spamming Vulnerability which can allow the actor to excessive spamming can consume server bandwidth and processing resources which may lead to Denial of Service.",
  "id": "GHSA-rj42-v997-m6xj",
  "modified": "2026-03-26T15:30:38Z",
  "published": "2026-03-26T15:30:38Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55268"
    },
    {
      "type": "WEB",
      "url": "https://support.hcl-software.com/csm?id=kb_article\u0026sysparm_article=KB0129793"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-RQR4-MC25-2CVQ

Vulnerability from github – Published: 2024-06-21 00:33 – Updated: 2025-07-30 18:31
VLAI
Details

An attacker may be able to cause a denial-of-service condition by sending many packets repeatedly.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-35246"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-799"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-06-20T23:15:52Z",
    "severity": "HIGH"
  },
  "details": "An attacker may be able to cause a denial-of-service condition by sending many packets repeatedly.",
  "id": "GHSA-rqr4-mc25-2cvq",
  "modified": "2025-07-30T18:31:26Z",
  "published": "2024-06-21T00:33:11Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35246"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-172-03"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-VP6F-F84F-RM77

Vulnerability from github – Published: 2024-06-04 09:30 – Updated: 2024-06-04 09:30
VLAI
Details

: Improper Control of Interaction Frequency vulnerability in cartpauj Cartpauj Register Captcha allows Functionality Misuse.This issue affects Cartpauj Register Captcha: from n/a through 1.0.02.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-40673"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-799"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-06-04T08:15:09Z",
    "severity": "MODERATE"
  },
  "details": ": Improper Control of Interaction Frequency vulnerability in cartpauj Cartpauj Register Captcha allows Functionality Misuse.This issue affects Cartpauj Register Captcha: from n/a through 1.0.02.",
  "id": "GHSA-vp6f-f84f-rm77",
  "modified": "2024-06-04T09:30:57Z",
  "published": "2024-06-04T09:30:57Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-40673"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/vulnerability/cartpauj-register-captcha/wordpress-cartpauj-register-captcha-plugin-1-0-02-captcha-bypass-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-W36C-M53M-R93M

Vulnerability from github – Published: 2024-09-26 12:32 – Updated: 2024-09-26 12:32
VLAI
Details

Rate limit vulnerability in Clibo Manager v1.1.9.2 that could allow an attacker to send a large number of emails to the victim in a short time, affecting availability and leading to a denial of service (DoS).

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-9199"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-799"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-09-26T10:15:05Z",
    "severity": "MODERATE"
  },
  "details": "Rate limit vulnerability in Clibo Manager v1.1.9.2 that could allow an attacker to send a large number of emails to the victim in a short time, affecting availability and leading to a denial of service (DoS).",
  "id": "GHSA-w36c-m53m-r93m",
  "modified": "2024-09-26T12:32:02Z",
  "published": "2024-09-26T12:32:02Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-9199"
    },
    {
      "type": "WEB",
      "url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-clibo-manager"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-W9F5-8Q83-QWPX

Vulnerability from github – Published: 2026-04-24 00:31 – Updated: 2026-05-04 22:00
VLAI
Summary
Duplicate Advisory: OpenClaw: Fake DeviceToken Bypasses Shared Auth Rate Limiting
Details

Duplicate Advisory

This advisory has been withdrawn because it is a duplicate of GHSA-6p8r-6m93-557f. This link is maintained to preserve external references.

Original Description

OpenClaw before 2026.3.31 contains an authentication rate limiting bypass vulnerability that allows attackers to circumvent shared authentication protections using fake device tokens. Attackers can exploit the mixed WebSocket authentication flow to bypass rate limiting controls and conduct brute force attacks against weak shared passwords.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "openclaw"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2026.3.31"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-799"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-04T22:00:35Z",
    "nvd_published_at": "2026-04-23T22:16:39Z",
    "severity": "MODERATE"
  },
  "details": "### Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-6p8r-6m93-557f. This link is maintained to preserve external references.\n\n### Original Description\nOpenClaw before 2026.3.31 contains an authentication rate limiting bypass vulnerability that allows attackers to circumvent shared authentication protections using fake device tokens. Attackers can exploit the mixed WebSocket authentication flow to bypass rate limiting controls and conduct brute force attacks against weak shared passwords.",
  "id": "GHSA-w9f5-8q83-qwpx",
  "modified": "2026-05-04T22:00:35Z",
  "published": "2026-04-24T00:31:51Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-6p8r-6m93-557f"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41333"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/commit/af0c0862f22ca4492406a3103d05e3628f94cbe9"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/openclaw-authentication-rate-limiting-bypass-via-fake-devicetoken"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Duplicate Advisory: OpenClaw: Fake DeviceToken Bypasses Shared Auth Rate Limiting",
  "withdrawn": "2026-05-04T22:00:35Z"
}

GHSA-WWFP-W96M-C6X8

Vulnerability from github – Published: 2026-04-07 18:14 – Updated: 2026-05-06 23:25
VLAI
Summary
OpenClaw: Pairing pending-request caps were enforced per channel instead of per account
Details

Summary

Before OpenClaw 2026.3.31, pending pairing-request caps were enforced per channel file instead of per account. On multi-account channel setups, requests from other accounts could fill the shared pending window and block new pairing challenges on an unaffected account.

Impact

This issue could deny new pairing or onboarding on another account until an existing request was approved or expired. It was an availability-only bug; it did not allow cross-account approval, data access, or authorization bypass.

Affected Packages / Versions

  • Package: openclaw (npm)
  • Affected versions: >= 2026.2.26, < 2026.3.31
  • Patched versions: >= 2026.3.31
  • Latest published npm version: 2026.4.1

Fix Commit(s)

  • 9bc1f896c8cd325dd4761681e9bdb8c425f69785 — scope pending request caps per account

Release Process Note

The fix shipped in OpenClaw 2026.3.31 on March 31, 2026. The current published npm release 2026.4.1 from April 1, 2026 also contains the fix.

Thanks @smaeljaish771 for reporting.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "openclaw"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2026.2.26"
            },
            {
              "fixed": "2026.3.31"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-41346"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-799"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-07T18:14:44Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "## Summary\n\nBefore OpenClaw 2026.3.31, pending pairing-request caps were enforced per channel file instead of per account. On multi-account channel setups, requests from other accounts could fill the shared pending window and block new pairing challenges on an unaffected account.\n\n## Impact\n\nThis issue could deny new pairing or onboarding on another account until an existing request was approved or expired. It was an availability-only bug; it did not allow cross-account approval, data access, or authorization bypass.\n\n## Affected Packages / Versions\n\n- Package: `openclaw` (npm)\n- Affected versions: `\u003e= 2026.2.26, \u003c 2026.3.31`\n- Patched versions: `\u003e= 2026.3.31`\n- Latest published npm version: `2026.4.1`\n\n## Fix Commit(s)\n\n- `9bc1f896c8cd325dd4761681e9bdb8c425f69785` \u2014 scope pending request caps per account\n\n## Release Process Note\n\nThe fix shipped in OpenClaw `2026.3.31` on March 31, 2026. The current published npm release `2026.4.1` from April 1, 2026 also contains the fix.\n\nThanks @smaeljaish771 for reporting.",
  "id": "GHSA-wwfp-w96m-c6x8",
  "modified": "2026-05-06T23:25:01Z",
  "published": "2026-04-07T18:14:44Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-wwfp-w96m-c6x8"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41346"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/commit/9bc1f896c8cd325dd4761681e9bdb8c425f69785"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/openclaw/openclaw"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/openclaw-denial-of-service-via-improper-pending-pairing-request-cap-enforcement"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "OpenClaw: Pairing pending-request caps were enforced per channel instead of per account"
}

GHSA-XCMQ-RM2P-F25P

Vulnerability from github – Published: 2024-06-04 15:30 – Updated: 2024-06-04 15:30
VLAI
Details

Improper Control of Interaction Frequency vulnerability in Metagauss RegistrationMagic allows Functionality Misuse.This issue affects RegistrationMagic: from n/a through 5.2.5.0.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-51544"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-799"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-06-04T13:15:50Z",
    "severity": "MODERATE"
  },
  "details": "Improper Control of Interaction Frequency vulnerability in Metagauss RegistrationMagic allows Functionality Misuse.This issue affects RegistrationMagic: from n/a through 5.2.5.0.",
  "id": "GHSA-xcmq-rm2p-f25p",
  "modified": "2024-06-04T15:30:57Z",
  "published": "2024-06-04T15:30:57Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-51544"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/vulnerability/custom-registration-form-builder-with-submission-manager/wordpress-registrationmagic-plugin-5-2-5-0-form-submission-limit-bypass-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

No mitigation information available for this CWE.

No CAPEC attack patterns related to this CWE.