Platform
nodejs
Component
openclaw
Fixed in
2026.3.12
2026.3.12
CVE-2026-34505 is a rate limiting bypass vulnerability in openclaw, affecting versions up to 2026.3.11. The flaw allows attackers to repeatedly guess webhook secrets without triggering rate limits, making brute-force attacks more feasible. This vulnerability has been fixed in openclaw version 2026.3.12.
The core of this vulnerability lies in the improper implementation of rate limiting within the Zalo webhook handler. Instead of applying rate limits before authentication, the system only enforced them after a secret was successfully verified. This meant that attempts to guess the webhook secret, even with incorrect credentials, did not contribute to the rate limit counter. An attacker could therefore rapidly iterate through potential secrets, significantly reducing the time required to compromise the system. Successful secret guessing then allows the attacker to submit malicious Zalo webhook traffic, potentially leading to data manipulation, unauthorized actions, or other security breaches depending on the application's logic.
This vulnerability was publicly disclosed on 2026-03-13. There is no indication of active exploitation at this time, and it is not currently listed on the CISA KEV catalog. The CVSS score of 6.5 (MEDIUM) reflects the potential for successful exploitation given a weak webhook secret, but the lack of authentication bypass before secret guessing limits the overall impact. Public proof-of-concept code is not currently available.
Exploit Status
EPSS
0.07% (22% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-34505 is to upgrade openclaw to version 2026.3.12 or later, which includes the corrected rate limiting implementation. If upgrading is not immediately possible, consider implementing a Web Application Firewall (WAF) rule to block excessive requests to the webhook endpoint. Specifically, the WAF should be configured to rate limit requests based on the source IP address or other identifying factors, regardless of authentication status. Monitor webhook logs for unusual activity, such as a high volume of requests with invalid secrets. Review and strengthen webhook secret policies to enforce strong, randomly generated secrets.
Update OpenClaw to version 2026.3.12 or later. This version implements rate limiting before webhook authentication, preventing bypass and brute-force attacks.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-34505 describes a vulnerability in openclaw where rate limiting was not applied before webhook authentication, allowing repeated secret guesses.
You are affected if you are using openclaw versions 2026.3.11 or earlier and are utilizing Zalo webhook integration.
Upgrade openclaw to version 2026.3.12 or later to remediate the rate limiting bypass vulnerability. Consider WAF rules as a temporary workaround.
There is currently no evidence of active exploitation, but the vulnerability remains a potential risk.
Refer to the openclaw project's release notes and security advisories for details on this vulnerability and the fix.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.