Description
OpenClaw before 2026.3.12 applies rate limiting only after successful webhook authentication, allowing attackers to bypass rate limits and brute-force webhook secrets. Attackers can submit repeated authentication requests with invalid secrets without triggering rate limit responses, enabling systematic secret guessing and subsequent forged webhook submission.
Published: 2026-03-31
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized webhook injection via brute-force of secrets
Action: Patch immediately
AI Analysis

Impact

OpenClaw before 2026.3.12 applies rate limiting only after successful webhook authentication, which allows attackers to bypass the limits by repeatedly sending authentication requests with invalid secrets. This enables systematic brute‑force guessing of the webhook secret, after which the attacker can forge webhook requests to gain unauthorized access or perform privileged actions.

Affected Systems

The affected product is OpenClaw by OpenClaw, with all versions older than 2026.3.12. The vulnerability exists in the Node.js implementation of the webhook handling component.

Risk and Exploitability

The CVSS score of 6.9 indicates a medium‑to‑high severity. EPSS data is unavailable, and the vulnerability is not listed in the CISA KEV catalog. The attack vector is remote, through the public webhook endpoint; an attacker can send HTTP requests to trigger authentication without rate limiting, brute‑force the secret, and subsequently submit forged webhooks.

Generated by OpenCVE AI on March 31, 2026 at 12:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OpenClaw to version 2026.3.12 or later.
  • Confirm all deployed instances are updated to the patched version.
  • If an upgrade cannot be performed immediately, implement additional rate limiting on the webhook endpoint before authentication to block repeated failed attempts.
  • Monitor webhook traffic for repeated authentication failures and investigate suspicious activity.

Generated by OpenCVE AI on March 31, 2026 at 12:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 31 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}

Tue, 31 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 31 Mar 2026 11:45:00 +0000

Type Values Removed Values Added
Description OpenClaw before 2026.3.12 applies rate limiting only after successful webhook authentication, allowing attackers to bypass rate limits and brute-force webhook secrets. Attackers can submit repeated authentication requests with invalid secrets without triggering rate limit responses, enabling systematic secret guessing and subsequent forged webhook submission.
Title OpenClaw < 2026.3.12 - Webhook Rate Limiting Bypass via Pre-Authentication Secret Validation
First Time appeared Openclaw
Openclaw openclaw
Weaknesses CWE-307
CPEs cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*
Vendors & Products Openclaw
Openclaw openclaw
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Openclaw Openclaw
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-31T17:58:11.708Z

Reserved: 2026-03-30T13:51:47.549Z

Link: CVE-2026-34505

cve-icon Vulnrichment

Updated: 2026-03-31T13:54:21.938Z

cve-icon NVD

Status : Received

Published: 2026-03-31T12:16:30.237

Modified: 2026-03-31T18:16:56.423

Link: CVE-2026-34505

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-31T20:38:56Z

Weaknesses