Description
OpenClaw before 2026.3.25 contains a pre-authentication rate-limit bypass vulnerability in webhook token validation that allows attackers to brute-force weak webhook secrets. The vulnerability exists because invalid webhook tokens are rejected without throttling repeated authentication attempts, enabling attackers to guess weak tokens through rapid successive requests.
Published: 2026-04-09
Score: 6.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Credential Compromise
Action: Immediate Patch
AI Analysis

Impact

OpenClaw versions prior to 2026.3.25 contain a pre-authentication rate‑limit bypass in the webhook token validation logic. The flaw causes invalid tokens to be rejected without imposing a throttle on repeated authentication attempts, allowing an attacker to brute‑force weak webhook secrets quickly. Successful guessing of a secret grants the attacker unauthorized access to the webhook service, which can lead to malicious data injection or execution of unintended actions, thereby compromising the integrity and confidentiality of the system."

Affected Systems

The vulnerability affects OpenClaw software distributed under the OpenClaw product line, specifically any installation running a version earlier than 2026.3.25. The software operates in a Node.js environment, and the weakness resides in the web layer that processes incoming webhook requests.

Risk and Exploitability

The CVSS v3 base score of 6.3 classifies this issue as medium severity. No EPSS score is available, and the vulnerability is not listed on the CISA KEV catalog. The most likely attack vector is remote over the network, requiring no prior authentication. An attacker can launch rapid successive requests directly to the webhook endpoint to enumerate or guess weak secrets, achieving the effect if the secret is not sufficiently complex. There are no notable environmental constraints beyond having network exposure to the webhook interface.

Generated by OpenCVE AI on April 9, 2026 at 22:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OpenClaw to version 2026.3.25 or later to eliminate the rate‑limit bypass flaw.

Generated by OpenCVE AI on April 9, 2026 at 22:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-mf5g-6r6f-ghhm OpenClaw: Synology Chat Webhook Pre-Auth Rate-Limit Bypass Enables Brute-Force Guessing of Webhook Token
History

Fri, 10 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 09 Apr 2026 21:45:00 +0000

Type Values Removed Values Added
Description OpenClaw before 2026.3.25 contains a pre-authentication rate-limit bypass vulnerability in webhook token validation that allows attackers to brute-force weak webhook secrets. The vulnerability exists because invalid webhook tokens are rejected without throttling repeated authentication attempts, enabling attackers to guess weak tokens through rapid successive requests.
Title OpenClaw < 2026.3.25 - Pre-Authentication Rate-Limit Bypass in Webhook Token Validation
First Time appeared Openclaw
Openclaw openclaw
Weaknesses CWE-307
CPEs cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*
Vendors & Products Openclaw
Openclaw openclaw
References
Metrics cvssV3_1

{'score': 4.8, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N'}

cvssV4_0

{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Openclaw Openclaw
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-10T13:57:32.078Z

Reserved: 2026-04-04T12:30:33.464Z

Link: CVE-2026-35646

cve-icon Vulnrichment

Updated: 2026-04-10T13:57:26.653Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-09T22:16:34.223

Modified: 2026-04-15T18:52:49.400

Link: CVE-2026-35646

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-10T09:28:18Z

Weaknesses