Scan free
MEDIUMCVE-2026-34505CVSS 6.5

CVE-2026-34505: Rate Limiting Bypass in openclaw

Platform

nodejs

Component

openclaw

Fixed in

2026.3.12

2026.3.12

AI Confidence: highNVDEPSS 0.1%Reviewed: May 2026
View on NVD
Save

CVE-2026-34505 is a rate limiting bypass vulnerability in openclaw, affecting versions up to 2026.3.11. The flaw allows attackers to repeatedly guess webhook secrets without triggering rate limits, making brute-force attacks more feasible. This vulnerability has been fixed in openclaw version 2026.3.12.

Impact and Attack Scenarios

The core of this vulnerability lies in the improper implementation of rate limiting within the Zalo webhook handler. Instead of applying rate limits before authentication, the system only enforced them after a secret was successfully verified. This meant that attempts to guess the webhook secret, even with incorrect credentials, did not contribute to the rate limit counter. An attacker could therefore rapidly iterate through potential secrets, significantly reducing the time required to compromise the system. Successful secret guessing then allows the attacker to submit malicious Zalo webhook traffic, potentially leading to data manipulation, unauthorized actions, or other security breaches depending on the application's logic.

Exploitation Context

This vulnerability was publicly disclosed on 2026-03-13. There is no indication of active exploitation at this time, and it is not currently listed on the CISA KEV catalog. The CVSS score of 6.5 (MEDIUM) reflects the potential for successful exploitation given a weak webhook secret, but the lack of authentication bypass before secret guessing limits the overall impact. Public proof-of-concept code is not currently available.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown
CISA KEVNO
Internet ExposureHigh
Reports4 threat reports

EPSS

0.07% (22% percentile)

CISA SSVC

Exploitationnone
Automatableyes
Technical Impacttotal

CVSS Vector

THREAT INTELLIGENCE· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N6.5MEDIUMAttack VectorNetworkHow the attacker reaches the targetAttack ComplexityLowConditions required to exploitPrivileges RequiredNoneAuthentication level needed to attackUser InteractionNoneWhether a victim must take actionScopeUnchangedImpact beyond the vulnerable componentConfidentialityLowRisk of sensitive data exposureIntegrityLowRisk of unauthorized data modificationAvailabilityNoneRisk of service disruptionnextguardhq.com · CVSS v3.1 Base Score
What do these metrics mean?
Attack Vector
Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity
Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required
None — unauthenticated. No login or credentials needed to exploit.
User Interaction
None — attack is automatic and silent. Victim does nothing: no click, no file open.
Scope
Unchanged — impact is limited to the vulnerable component itself.
Confidentiality
Low — partial or indirect data access. Attacker gains limited information.
Integrity
Low — attacker can modify some data with limited scope or impact.
Availability
None — no availability impact. Service remains fully operational.

Affected Software

Componentopenclaw
Vendorosv
Affected rangeFixed in
0 – 2026.3.122026.3.12
2026.3.12

Weakness Classification (CWE)

CWE-307

Timeline

  1. Reserved
  2. Published
  3. Modified
  4. EPSS updated

Mitigation and Workarounds

The primary mitigation for CVE-2026-34505 is to upgrade openclaw to version 2026.3.12 or later, which includes the corrected rate limiting implementation. If upgrading is not immediately possible, consider implementing a Web Application Firewall (WAF) rule to block excessive requests to the webhook endpoint. Specifically, the WAF should be configured to rate limit requests based on the source IP address or other identifying factors, regardless of authentication status. Monitor webhook logs for unusual activity, such as a high volume of requests with invalid secrets. Review and strengthen webhook secret policies to enforce strong, randomly generated secrets.

How to fix

Update OpenClaw to version 2026.3.12 or later. This version implements rate limiting before webhook authentication, preventing bypass and brute-force attacks.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2026-34505 — Rate Limiting Bypass in openclaw?

CVE-2026-34505 describes a vulnerability in openclaw where rate limiting was not applied before webhook authentication, allowing repeated secret guesses.

Am I affected by CVE-2026-34505 in openclaw?

You are affected if you are using openclaw versions 2026.3.11 or earlier and are utilizing Zalo webhook integration.

How do I fix CVE-2026-34505 in openclaw?

Upgrade openclaw to version 2026.3.12 or later to remediate the rate limiting bypass vulnerability. Consider WAF rules as a temporary workaround.

Is CVE-2026-34505 being actively exploited?

There is currently no evidence of active exploitation, but the vulnerability remains a potential risk.

Where can I find the official openclaw advisory for CVE-2026-34505?

Refer to the openclaw project's release notes and security advisories for details on this vulnerability and the fix.

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan freeSearch CVEs