CVE-2026-34508
Received Received - Intake
Authentication Bypass Enables Brute-Force in OpenClaw Webhooks

Publication date: 2026-03-31

Last updated on: 2026-04-01

Assigner: VulnCheck

Description
Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-31
Last Modified
2026-04-01
Generated
2026-06-16
AI Q&A
2026-03-31
EPSS Evaluated
2026-04-01
NVD
CVE-2026-34508
EUVD
EUVD-2026-17393
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
openclaw openclaw to 2026.3.12 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-307 The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in OpenClaw versions before 2026.3.12. The software applies rate limiting only after webhook authentication succeeds. Because of this, attackers can bypass rate limits by repeatedly attempting to authenticate with invalid webhook secrets without triggering rate limiting responses (HTTP 429). This allows attackers to brute-force webhook secrets and eventually discover valid credentials.

Once valid secrets are discovered, attackers can submit forged Zalo webhook traffic, potentially impersonating legitimate webhook requests.

Impact Analysis

The vulnerability allows attackers to bypass rate limiting and brute-force webhook secrets, which can lead to unauthorized access to webhook endpoints.

This can result in attackers submitting forged webhook traffic, potentially causing unauthorized actions or data manipulation within systems relying on these webhooks.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-34508. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart