CVE-2026-35628
Missing Rate Limiting in OpenClaw Telegram Webhook Enables Brute-Force
Publication date: 2026-04-09
Last updated on: 2026-04-15
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| openclaw | openclaw | to 2026.3.25 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-307 | The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in OpenClaw versions before 2026.3.25 and involves a missing rate limiting mechanism in the Telegram webhook authentication process.
Because there is no throttling on authentication attempts, attackers can repeatedly try to guess weak webhook secrets through brute-force attacks.
This allows attackers to systematically attempt many authentication guesses without restriction, increasing the likelihood of successfully compromising the webhook secret.
How can this vulnerability impact me? :
The vulnerability can lead to unauthorized access to the Telegram webhook by allowing attackers to brute-force weak webhook secrets.
Successful exploitation could compromise the integrity and confidentiality of communications or data handled through the webhook.
Since the vulnerability has a CVSS v3.1 base score of 4.8 (medium severity) and v4.0 base score of 6.3 (medium severity), it represents a moderate risk that could impact system security.