CVE-2026-34508

CVSS v3.1

6.5

Medium

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

OpenClaw before 2026.3.12 applies rate limiting only after webhook authentication succeeds, allowing attackers to bypass rate limits and brute-force webhook secrets without triggering 429 responses. Attackers can repeatedly guess invalid secrets to discover valid credentials and subsequently submit forged Zalo webhook traffic.

Fix

Improper Restriction of Excessive Authentication Attempts

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-307

Related Identifiers

CVE-2026-34508

Affected Products

Openclaw

CVE-2026-34508

Weakness Enumeration

Related Identifiers

Affected Products

References · 3