CVE-2026-34508
Authentication Bypass Enables Brute-Force in OpenClaw Webhooks
Publication date: 2026-03-31
Last updated on: 2026-04-01
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| openclaw | openclaw | to 2026.3.12 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-307 | The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in OpenClaw versions before 2026.3.12. The software applies rate limiting only after webhook authentication succeeds. Because of this, attackers can bypass rate limits by repeatedly attempting to authenticate with invalid webhook secrets without triggering rate limiting responses (HTTP 429). This allows attackers to brute-force webhook secrets and eventually discover valid credentials.
Once valid secrets are discovered, attackers can submit forged Zalo webhook traffic, potentially impersonating legitimate webhook requests.
How can this vulnerability impact me? :
The vulnerability allows attackers to bypass rate limiting and brute-force webhook secrets, which can lead to unauthorized access to webhook endpoints.
This can result in attackers submitting forged webhook traffic, potentially causing unauthorized actions or data manipulation within systems relying on these webhooks.