The Zalo webhook handler applied request rate limiting only after webhook authentication succeeded. Requests with an invalid secret returned 401 but did not count against the rate limiter, allowing repeated secret guesses without triggering 429.

This made brute-force guessing materially easier for weak but policy-compliant webhook secrets. Once the secret was guessed, an attacker could submit forged Zalo webhook traffic.

openclaw <= 2026.3.11

Fixed in openclaw 2026.3.12. Rate limiting now applies before successful authentication is required, closing the pre-auth brute-force gap. Users should update to 2026.3.12 or later and prefer strong webhook secrets.