Description
OpenClaw before 2026.3.25 contains a missing rate limiting vulnerability in Telegram webhook authentication that allows attackers to brute-force weak webhook secrets. The vulnerability enables repeated authentication guesses without throttling, permitting attackers to systematically guess webhook secrets through brute-force attacks.
Published: 2026-04-09
Score: 6.3 Medium
EPSS: n/a
KEV: No
Impact: Unauthorized Access via brute‑force of Telegram webhook secrets
Action: Apply Patch
AI Analysis

Impact

The vulnerability is a missing rate limiting mechanism on the Telegram webhook authentication in OpenClaw versions prior to 2026.3.25. This flaw allows an adversary to send repeated authentication attempts without any throttling, effectively enabling a brute‑force attack against the webhook secret. Discovery of the secret permits the attacker to post arbitrary content or commands through the webhook, potentially triggering unintended actions. The weakness is identified as CWE‑307.

Affected Systems

The issue impacts any deployment of the OpenClaw application running a version earlier than 2026.3.25. This includes all Node.js‑based builds that expose the Telegram webhook endpoint. No specific operating system or hardware constraints were noted in the advisory.

Risk and Exploitability

The CVSS score of 6.3 indicates a medium severity. With no EPSS score reported, the exploitation probability remains uncertain. The vulnerability is not listed in the CISA KEV catalog, suggesting no confirmed widespread exploitation yet. Attackers would need network access to the Telegram webhook endpoint and could manually iterate through potential secrets or employ automated tools. The absence of rate limiting removes practical brute‑force resistance, making exploitation easier for a determined attacker.

Generated by OpenCVE AI on April 9, 2026 at 22:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OpenClaw to version 2026.3.25 or later.
  • Verify that webhook URLs use a strong, complex secret.

Generated by OpenCVE AI on April 9, 2026 at 22:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 09 Apr 2026 21:45:00 +0000

Type Values Removed Values Added
Description OpenClaw before 2026.3.25 contains a missing rate limiting vulnerability in Telegram webhook authentication that allows attackers to brute-force weak webhook secrets. The vulnerability enables repeated authentication guesses without throttling, permitting attackers to systematically guess webhook secrets through brute-force attacks.
Title OpenClaw < 2026.3.25 - Brute-Force Attack via Missing Telegram Webhook Rate Limiting
First Time appeared Openclaw
Openclaw openclaw
Weaknesses CWE-307
CPEs cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*
Vendors & Products Openclaw
Openclaw openclaw
References
Metrics cvssV3_1

{'score': 4.8, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N'}

cvssV4_0

{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Openclaw Openclaw
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-09T21:27:00.140Z

Reserved: 2026-04-04T12:29:42.738Z

Link: CVE-2026-35628

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-09T22:16:31.423

Modified: 2026-04-09T22:16:31.423

Link: CVE-2026-35628

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-10T09:28:34Z

Weaknesses