CVE-2026-34505：OpenClaw Webhook 速率限制绕过漏洞

OpenClaw 中的 CVE-2026-34505 影响 Zalo webhook 处理程序。系统在 webhook 身份验证成功 之后 才会应用请求速率限制。这意味着具有无效密钥的请求会收到 401 错误，但不会计入速率限制器。因此，攻击者可以在不达到 429 限制的情况下反复猜测密钥。一旦密钥被正确猜测，攻击者就可以提交伪造的 Zalo webhook 流量。

Applications utilizing openclaw for Zalo webhook integration, particularly those with weak or easily guessable webhook secrets, are at risk. Shared hosting environments where multiple applications share the same webhook endpoint are also potentially vulnerable, as an attacker could target a single vulnerable application to gain access to others.

• nodejs: Use npm audit to check for vulnerable versions of openclaw. Monitor application logs for repeated 401 errors from webhook requests, which could indicate a brute-force attempt.

npm audit openclaw

• generic web: Monitor access logs for a high volume of requests to the Zalo webhook endpoint with 401 status codes. Implement rate limiting on the webhook endpoint to detect and block suspicious activity.

1. 2026-03-13Disclosure

   disclosure

1. 已保留2026-03-30
2. 发布日期2026-03-13
3. 修改日期2026-04-06
4. EPSS 更新日期2026-04-07

CVE-2026-34505 的缓解措施是将 OpenClaw 更新到 2026.3.12 或更高版本。此版本在 webhook 身份验证 之前 实施速率限制，从而防止攻击者尝试猜测密钥的次数过多。强烈建议更新以保护免受此安全风险。此外，建议使用强大且复杂的 webhook 密钥来进一步阻止暴力破解攻击。