CWE-799
Allowed-with-ReviewImproper Control of Interaction Frequency
Abstraction: Class · Status: Incomplete
The product does not properly limit the number or frequency of interactions that it has with an actor, such as the number of incoming requests.
108 vulnerabilities reference this CWE, most recent first.
GHSA-5G37-4GXG-27M8
Vulnerability from github – Published: 2024-11-04 15:31 – Updated: 2024-11-08 15:31This vulnerability exists in the Wave 2.0 due to missing rate limiting on OTP requests in an API endpoint. An authenticated remote attacker could exploit this vulnerability by sending multiple OTP request through vulnerable API endpoint which could lead to the OTP bombing/flooding on the targeted system.
{
"affected": [],
"aliases": [
"CVE-2024-51557"
],
"database_specific": {
"cwe_ids": [
"CWE-770",
"CWE-799"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-11-04T13:17:05Z",
"severity": "HIGH"
},
"details": "This vulnerability exists in the Wave 2.0 due to missing rate limiting on OTP requests in an API endpoint. An authenticated remote attacker could exploit this vulnerability by sending multiple OTP request through vulnerable API endpoint which could lead to the OTP bombing/flooding on the targeted system.",
"id": "GHSA-5g37-4gxg-27m8",
"modified": "2024-11-08T15:31:12Z",
"published": "2024-11-04T15:31:56Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-51557"
},
{
"type": "WEB",
"url": "https://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES01\u0026VLCODE=CIVN-2024-0332"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-5RP8-95VQ-WM73
Vulnerability from github – Published: 2025-12-11 21:31 – Updated: 2025-12-11 21:31IBM Aspera Orchestrator 4.0.0 through 4.1.0 could allow an authenticated user to cause a denial of service in the email service due to improper control of interaction frequency.
{
"affected": [],
"aliases": [
"CVE-2025-13211"
],
"database_specific": {
"cwe_ids": [
"CWE-799"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-12-11T20:15:52Z",
"severity": "MODERATE"
},
"details": "IBM Aspera Orchestrator 4.0.0 through 4.1.0 could allow an authenticated user to cause a denial of service in the email service due to improper control of interaction frequency.",
"id": "GHSA-5rp8-95vq-wm73",
"modified": "2025-12-11T21:31:33Z",
"published": "2025-12-11T21:31:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-13211"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/7254434"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-63WG-87QV-RW4R
Vulnerability from github – Published: 2025-01-09 21:31 – Updated: 2025-01-14 21:23The distribution didn't validate the flood control limits on the password reset form correctly resulting in a potential attacker flooding the password reset which could result in a Denial of Service. Fortunately the message does not disclose any information to the attacker.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "goalgorilla/open_social"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "12.3.8"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "goalgorilla/open_social"
},
"ranges": [
{
"events": [
{
"introduced": "12.4.0"
},
{
"fixed": "12.4.5"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "goalgorilla/open_social"
},
"ranges": [
{
"events": [
{
"introduced": "13.0.0-alpha1"
},
{
"fixed": "13.0.0-alpha11"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-13274"
],
"database_specific": {
"cwe_ids": [
"CWE-799"
],
"github_reviewed": true,
"github_reviewed_at": "2025-01-14T21:23:11Z",
"nvd_published_at": "2025-01-09T20:15:36Z",
"severity": "MODERATE"
},
"details": "The distribution didn\u0027t validate the flood control limits on the password reset form correctly resulting in a potential attacker flooding the password reset which could result in a Denial of Service. Fortunately the message does not disclose any information to the attacker.",
"id": "GHSA-63wg-87qv-rw4r",
"modified": "2025-01-14T21:23:11Z",
"published": "2025-01-09T21:31:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-13274"
},
{
"type": "PACKAGE",
"url": "https://github.com/goalgorilla/open_social"
},
{
"type": "WEB",
"url": "https://www.drupal.org/sa-contrib-2024-038"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
],
"summary": "Drupal Open Social allows Functionality Misuse"
}
GHSA-64W9-MHV5-JC6G
Vulnerability from github – Published: 2026-03-16 15:30 – Updated: 2026-03-16 15:30IBM Aspera Console 3.3.0 through 3.4.8 could allow an authenticated user to cause a denial of service in the email service due to improper control of interaction frequency.
{
"affected": [],
"aliases": [
"CVE-2025-13212"
],
"database_specific": {
"cwe_ids": [
"CWE-799"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-16T14:17:54Z",
"severity": "MODERATE"
},
"details": "IBM Aspera Console 3.3.0 through 3.4.8 could allow an authenticated user to cause a denial of service in the email service due to improper control of interaction frequency.",
"id": "GHSA-64w9-mhv5-jc6g",
"modified": "2026-03-16T15:30:41Z",
"published": "2026-03-16T15:30:41Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-13212"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/7263486"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-6554-RH36-HFH2
Vulnerability from github – Published: 2026-06-15 15:31 – Updated: 2026-06-15 15:31Improper Control of Interaction Frequency vulnerability in MIA Technology Inc. Pizzy Library allows Flooding.
This issue affects Pizzy Library: from 1.0.0.26250 before 1.3.9.26250.
{
"affected": [],
"aliases": [
"CVE-2026-5233"
],
"database_specific": {
"cwe_ids": [
"CWE-799"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-15T14:16:37Z",
"severity": "HIGH"
},
"details": "Improper Control of Interaction Frequency vulnerability in MIA Technology Inc. Pizzy Library allows Flooding.\n\nThis issue affects Pizzy Library: from 1.0.0.26250 before 1.3.9.26250.",
"id": "GHSA-6554-rh36-hfh2",
"modified": "2026-06-15T15:31:33Z",
"published": "2026-06-15T15:31:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-5233"
},
{
"type": "WEB",
"url": "https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-26-0383"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-6FMH-3798-3J6G
Vulnerability from github – Published: 2026-04-30 15:30 – Updated: 2026-06-06 09:31Improper Control of Interaction Frequency vulnerability in MeWare Software Development Inc. PDKS allows Flooding.
This issue affects PDKS: from V16.20200313 before VMYR_3.5.2025117.
{
"affected": [],
"aliases": [
"CVE-2026-7402"
],
"database_specific": {
"cwe_ids": [
"CWE-799"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-04-30T13:16:06Z",
"severity": "HIGH"
},
"details": "Improper Control of Interaction Frequency vulnerability in MeWare Software Development Inc. PDKS allows Flooding.\n\nThis issue affects PDKS: from V16.20200313 before VMYR_3.5.2025117.",
"id": "GHSA-6fmh-3798-3j6g",
"modified": "2026-06-06T09:31:16Z",
"published": "2026-04-30T15:30:39Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-7402"
},
{
"type": "WEB",
"url": "https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-26-0141"
},
{
"type": "WEB",
"url": "https://www.usom.gov.tr/bildirim/tr-26-0141"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-6P8R-6M93-557F
Vulnerability from github – Published: 2026-04-03 03:09 – Updated: 2026-05-06 23:22Summary
Fake DeviceToken Bypasses Shared Auth Rate Limiting
Current Maintainer Triage
- Status: narrow
- Normalized severity: low
- Assessment: Real in shipped mixed WS auth flow, but practical risk is mostly weak shared-password deployments since strong shared tokens remain non-bruteforceable.
Affected Packages / Versions
- Package:
openclaw(npm) - Latest published npm version:
2026.3.31 - Vulnerable version range:
<=2026.3.28 - Patched versions:
>= 2026.3.31 - First stable tag containing the fix:
v2026.3.31
Fix Commit(s)
af0c0862f22ca4492406a3103d05e3628f94cbe9— 2026-03-31T09:08:57+09:00
Release Process Note
- The fix is already present in released version
2026.3.31.
OpenClaw thanks @kexinoh of Tencent zhuque Lab (https://github.com/Tencent/AI-Infra-Guard) for reporting.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2026.3.28"
},
"package": {
"ecosystem": "npm",
"name": "openclaw"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2026.3.31"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-41333"
],
"database_specific": {
"cwe_ids": [
"CWE-307",
"CWE-799"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-03T03:09:18Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "## Summary\nFake DeviceToken Bypasses Shared Auth Rate Limiting\n\n## Current Maintainer Triage\n- Status: narrow\n- Normalized severity: low\n- Assessment: Real in shipped mixed WS auth flow, but practical risk is mostly weak shared-password deployments since strong shared tokens remain non-bruteforceable.\n\n## Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Latest published npm version: `2026.3.31`\n- Vulnerable version range: `\u003c=2026.3.28`\n- Patched versions: `\u003e= 2026.3.31`\n- First stable tag containing the fix: `v2026.3.31`\n\n## Fix Commit(s)\n- `af0c0862f22ca4492406a3103d05e3628f94cbe9` \u2014 2026-03-31T09:08:57+09:00\n\n## Release Process Note\n- The fix is already present in released version `2026.3.31`.\n\nOpenClaw thanks @kexinoh of Tencent zhuque Lab (https://github.com/Tencent/AI-Infra-Guard) for reporting.",
"id": "GHSA-6p8r-6m93-557f",
"modified": "2026-05-06T23:22:13Z",
"published": "2026-04-03T03:09:18Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-6p8r-6m93-557f"
},
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/commit/af0c0862f22ca4492406a3103d05e3628f94cbe9"
},
{
"type": "PACKAGE",
"url": "https://github.com/openclaw/openclaw"
},
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/releases/tag/v2026.3.31"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/openclaw-authentication-rate-limiting-bypass-via-fake-devicetoken"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "OpenClaw: Fake DeviceToken Bypasses Shared Auth Rate Limiting"
}
GHSA-6RMX-GVVG-VH6J
Vulnerability from github – Published: 2026-03-09 19:52 – Updated: 2026-03-09 19:52OpenClaw's hooks HTTP handler counted hook authentication failures before rejecting unsupported HTTP methods. An unauthenticated client could send repeated non-POST requests (for example GET) with an invalid token to consume the hook auth failure budget and trigger the temporary lockout window for that client key.
The fix moves the hook method gate ahead of auth-failure accounting so unsupported methods return 405 Method Not Allowed without incrementing the hook auth limiter.
Affected Packages / Versions
- Package:
openclaw(npm) - Affected versions:
<= 2026.3.2 - Patched version:
2026.3.7 - Latest published npm version at patch time:
2026.3.2
Impact
An unauthenticated network client that could reach /hooks/* could temporarily lock out legitimate webhook delivery when requests collapsed to the same hook auth client key, such as shared proxy or NAT topologies. Impact is limited to temporary availability loss for hook-triggered wake or automation delivery.
Fix Commit(s)
44820dceadac65ac7c0ce8fc0ffba8c2bd9fae89
Verification
pnpm checkpassedpnpm test:fastpassed- focused hook regression tests passed
pnpm exec vitest run --config vitest.gateway.config.tsstill has unrelated current-mainfailures insrc/gateway/server-channels.test.tsandsrc/gateway/server-methods/agents-mutate.test.ts
Release Process Note
npm 2026.3.7 was published on March 8, 2026. This advisory is fixed in the released package.
Thanks @JNX03 for reporting.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2026.3.2"
},
"package": {
"ecosystem": "npm",
"name": "openclaw"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2026.3.7"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-307",
"CWE-799"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-09T19:52:47Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "OpenClaw\u0027s hooks HTTP handler counted hook authentication failures before rejecting unsupported HTTP methods. An unauthenticated client could send repeated non-`POST` requests (for example `GET`) with an invalid token to consume the hook auth failure budget and trigger the temporary lockout window for that client key.\n\nThe fix moves the hook method gate ahead of auth-failure accounting so unsupported methods return `405 Method Not Allowed` without incrementing the hook auth limiter.\n\n## Affected Packages / Versions\n\n- Package: `openclaw` (npm)\n- Affected versions: `\u003c= 2026.3.2`\n- Patched version: `2026.3.7`\n- Latest published npm version at patch time: `2026.3.2`\n\n## Impact\n\nAn unauthenticated network client that could reach `/hooks/*` could temporarily lock out legitimate webhook delivery when requests collapsed to the same hook auth client key, such as shared proxy or NAT topologies. Impact is limited to temporary availability loss for hook-triggered wake or automation delivery.\n\n## Fix Commit(s)\n\n- `44820dceadac65ac7c0ce8fc0ffba8c2bd9fae89`\n\n## Verification\n\n- `pnpm check` passed\n- `pnpm test:fast` passed\n- focused hook regression tests passed\n- `pnpm exec vitest run --config vitest.gateway.config.ts` still has unrelated current-`main` failures in `src/gateway/server-channels.test.ts` and `src/gateway/server-methods/agents-mutate.test.ts`\n\n## Release Process Note\n\nnpm `2026.3.7` was published on March 8, 2026. This advisory is fixed in the released package.\n\nThanks @JNX03 for reporting.",
"id": "GHSA-6rmx-gvvg-vh6j",
"modified": "2026-03-09T19:52:47Z",
"published": "2026-03-09T19:52:47Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-6rmx-gvvg-vh6j"
},
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/commit/44820dceadac65ac7c0ce8fc0ffba8c2bd9fae89"
},
{
"type": "PACKAGE",
"url": "https://github.com/openclaw/openclaw"
},
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/releases/tag/v2026.3.7"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
],
"summary": "OpenClaw\u0027s hooks count non-POST requests toward auth lockout"
}
GHSA-76JH-WM3G-GCHP
Vulnerability from github – Published: 2026-03-10 18:31 – Updated: 2026-03-10 18:31An Improper Control of Interaction Frequency vulnerability [CWE-799] vulnerability in Fortinet FortiWeb 8.0.0 through 8.0.2, FortiWeb 7.6.0 through 7.6.5, FortiWeb 7.4.0 through 7.4.10, FortiWeb 7.2.0 through 7.2.11, FortiWeb 7.0.0 through 7.0.11 may allow a remote unauthenticated attacker to bypass the authentication rate-limit via crafted requests. The success of the attack depends on the attacker's resources and the password target complexity.
{
"affected": [],
"aliases": [
"CVE-2026-24017"
],
"database_specific": {
"cwe_ids": [
"CWE-799"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-10T18:18:17Z",
"severity": "HIGH"
},
"details": "An Improper Control of Interaction Frequency vulnerability [CWE-799] vulnerability in Fortinet FortiWeb 8.0.0 through 8.0.2, FortiWeb 7.6.0 through 7.6.5, FortiWeb 7.4.0 through 7.4.10, FortiWeb 7.2.0 through 7.2.11, FortiWeb 7.0.0 through 7.0.11 may allow a remote unauthenticated attacker to bypass the authentication rate-limit via crafted requests. The success of the attack depends on the attacker\u0027s resources and the password target complexity.",
"id": "GHSA-76jh-wm3g-gchp",
"modified": "2026-03-10T18:31:19Z",
"published": "2026-03-10T18:31:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24017"
},
{
"type": "WEB",
"url": "https://fortiguard.fortinet.com/psirt/FG-IR-26-082"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-772M-773G-QMHC
Vulnerability from github – Published: 2025-02-13 00:33 – Updated: 2025-02-13 22:43An issue in MaysWind ezBookkeeping 0.7.0 allows a remote attacker to escalate privileges via the lack of rate limiting.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/mayswind/ezbookkeeping"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "0.7.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-57603"
],
"database_specific": {
"cwe_ids": [
"CWE-799"
],
"github_reviewed": true,
"github_reviewed_at": "2025-02-13T22:43:43Z",
"nvd_published_at": "2025-02-12T22:15:40Z",
"severity": "MODERATE"
},
"details": "An issue in MaysWind ezBookkeeping 0.7.0 allows a remote attacker to escalate privileges via the lack of rate limiting.",
"id": "GHSA-772m-773g-qmhc",
"modified": "2025-02-13T22:43:43Z",
"published": "2025-02-13T00:33:07Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-57603"
},
{
"type": "WEB",
"url": "https://github.com/mayswind/ezbookkeeping/issues/33"
},
{
"type": "PACKAGE",
"url": "https://github.com/mayswind/ezbookkeeping"
},
{
"type": "WEB",
"url": "https://hkohi.ca/vulnerability/1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
}
],
"summary": "Missing rate limit in MaysWind ezBookkeeping"
}
No mitigation information available for this CWE.
No CAPEC attack patterns related to this CWE.