CVE-2026-33580
Received Received - Intake
Rate Limiting Bypass in OpenClaw Nextcloud Talk Webhook Allows Brute-Force

Publication date: 2026-03-31

Last updated on: 2026-04-01

Assigner: VulnCheck

Description
OpenClaw before 2026.3.28 contains a missing rate limiting vulnerability in the Nextcloud Talk webhook authentication that allows attackers to brute-force weak shared secrets. Attackers who can reach the webhook endpoint can exploit this to forge inbound webhook events by repeatedly attempting authentication without throttling.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-31
Last Modified
2026-04-01
Generated
2026-06-16
AI Q&A
2026-03-31
EPSS Evaluated
2026-06-15
NVD
CVE-2026-33580
EUVD
EUVD-2026-17439
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
openclaw openclaw to 2026.3.28 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-307 The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in OpenClaw versions before 2026.3.28 and affects the Nextcloud Talk webhook authentication mechanism.

Specifically, there is a missing rate limiting feature on the verification of shared secret signatures used for webhook authentication.

Because of this, attackers who can reach the webhook endpoint can repeatedly attempt to guess weak shared secrets through brute-force attacks without being throttled or blocked.

If successful, the attacker can forge inbound webhook events, potentially compromising the system's integrity.

Impact Analysis

The vulnerability allows attackers to perform brute-force attacks on the shared secret used for webhook authentication.

If an attacker successfully guesses the secret, they can forge inbound webhook events.

This can lead to unauthorized actions or data manipulation within the system that relies on these webhook events.

Overall, this compromises the integrity and security of the affected system.

Detection Guidance

This vulnerability involves brute-force attacks on the Nextcloud Talk webhook shared secret authentication due to missing rate limiting. Detection can focus on monitoring repeated failed authentication attempts to the webhook endpoint.

You can detect potential exploitation by analyzing logs for multiple rapid authentication failures targeting the webhook endpoint.

  • Use network monitoring tools or log analysis to identify repeated POST requests to the webhook URL with failed authentication.
  • Example command to check for repeated failed attempts in logs (assuming logs contain webhook authentication failures):
  • grep 'webhook authentication failure' /var/log/nextcloud-talk.log | awk '{print $1, $2, $3, $NF}' | sort | uniq -c | sort -nr
  • Use network packet capture tools like tcpdump or Wireshark to monitor traffic to the webhook endpoint and look for repeated authentication attempts.
Mitigation Strategies

The primary mitigation is to upgrade OpenClaw to version 2026.3.28 or later, where the vulnerability is fixed by introducing rate limiting on webhook authentication failures.

Until the upgrade can be applied, consider the following immediate steps:

  • Restrict access to the webhook endpoint to trusted IP addresses or networks to reduce exposure.
  • Use strong, complex shared secrets to make brute-force attacks more difficult.
  • Implement external rate limiting or firewall rules to throttle repeated requests to the webhook endpoint.
  • Monitor logs closely for signs of brute-force attempts and respond accordingly.
Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33580. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart