Description
OpenClaw before 2026.3.12 applies rate limiting only after webhook authentication succeeds, allowing attackers to bypass rate limits and brute-force webhook secrets without triggering 429 responses. Attackers can repeatedly guess invalid secrets to discover valid credentials and subsequently submit forged Zalo webhook traffic.
Published: 2026-03-31
Score: 6.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Rate Limiting Bypass / Brute-Force Webhook Secrets
Action: Immediate Patch
AI Analysis

Impact

In OpenClaw versions before 2026.3.12 the rate limiting mechanism for webhook endpoints is applied only after a successful authentication. Because the check comes too late, an attacker can send many requests that fail authentication, never triggering a 429 response. This allows the attacker to repeatedly guess the secret key until the correct one is discovered and then use that valid credential to send forged Zalo webhook traffic. The weakness stems from insecure access control (CWE‑307) and results in unauthorized use of the webhook API.

Affected Systems

The vulnerability affects the OpenClaw application; all installations running OpenClaw version 2026.3.11 or earlier are impacted. There is no other product or vendor listed as affected in the CNA data.

Risk and Exploitability

The CVSS base score of 6.3 describes a medium severity flaw with potential for unauthorized access to the webhook interface. The EPSS score is not provided, and the vulnerability is not listed in CISA’s KEV catalog, suggesting limited known exploitation to date. However, the attack vector is likely remote, as the webhook endpoint is accessible over the Internet. An attacker can launch the brute‑force attack from any location that can reach the webhook URL, and by bypassing the rate limiter the attack can be carried out with high frequency until the secret key is discovered. Overall the risk is moderate to high for systems that rely on the webhook for critical integrations and do not have additional rate limiting or firewall controls in place.

Generated by OpenCVE AI on March 31, 2026 at 12:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official patch by upgrading OpenClaw to version 2026.3.12 or later.
  • If an upgrade is delayed, place an external rate limiter or firewall rule at the webhook URL to restrict request frequency regardless of authentication.
  • Rotate any existing webhook secrets after the patch to prevent use of credentials that may have been discovered during the attack window.
  • Monitor incoming webhook traffic for anomalous patterns, such as a high volume of authentication failures or suspicious payloads, and investigate promptly.

Generated by OpenCVE AI on March 31, 2026 at 12:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 31 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

 cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}

Tue, 31 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 31 Mar 2026 11:45:00 +0000

Type Values Removed Values Added
Description OpenClaw before 2026.3.12 applies rate limiting only after webhook authentication succeeds, allowing attackers to bypass rate limits and brute-force webhook secrets without triggering 429 responses. Attackers can repeatedly guess invalid secrets to discover valid credentials and subsequently submit forged Zalo webhook traffic.
Title OpenClaw < 2026.3.12 - Webhook Rate Limiting Bypass via Pre-Authentication Secret Validation
First Time appeared Openclaw
Openclaw openclaw
Weaknesses CWE-307
CPEs cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*
Vendors & Products Openclaw
Openclaw openclaw
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

cvssV4_0

{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Openclaw Openclaw
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-31T17:58:46.420Z

Reserved: 2026-03-30T13:51:47.549Z

Link: CVE-2026-34508

cve-icon Vulnrichment

Updated: 2026-03-31T15:39:11.320Z

cve-icon NVD

Status : Received

Published: 2026-03-31T12:16:30.647

Modified: 2026-03-31T18:16:56.847

Link: CVE-2026-34508

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-31T20:38:54Z

Weaknesses