CVE-2026-34505

OpenClaw before 2026.3.12 applies rate limiting only after successful webhook authentication, allowing attackers to bypass rate limits and brute-force webhook secrets. Attackers can submit repeated authentication requests with invalid secrets without triggering rate limit responses, enabling systematic secret guessing and subsequent forged webhook submission.

CVSS v3 6.5 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 3.9 / Impact : 2.5

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/openclaw/openclaw/security/advisories/GHSA-5m9r-p9g7-679c	Vendor Advisory
https://www.vulncheck.com/advisories/openclaw-webhook-rate-limiting-bypass-via-pre-authentication-secret-validation	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*

History

02 Apr 2026, 12:22

Type	Values Removed	Values Added
First Time		Openclaw openclaw Openclaw
References	~~() https://github.com/openclaw/openclaw/security/advisories/GHSA-5m9r-p9g7-679c -~~	() https://github.com/openclaw/openclaw/security/advisories/GHSA-5m9r-p9g7-679c - Vendor Advisory
References	~~() https://www.vulncheck.com/advisories/openclaw-webhook-rate-limiting-bypass-via-pre-authentication-secret-validation -~~	() https://www.vulncheck.com/advisories/openclaw-webhook-rate-limiting-bypass-via-pre-authentication-secret-validation - Third Party Advisory
CPE		cpe:2.3:a:openclaw:openclaw::::::node.js::*

31 Mar 2026, 18:16

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~9.8~~	v2 : unknown v3 : 6.5

31 Mar 2026, 12:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-31 12:16

Updated : 2026-04-02 12:22

NVD link : CVE-2026-34505

Mitre link : CVE-2026-34505

CVE.ORG link : CVE-2026-34505

JSON object : View

Products Affected

openclaw

openclaw

CWE

CWE-307

Improper Restriction of Excessive Authentication Attempts

{"id": "CVE-2026-34505", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "disclosure@vulncheck.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.5, "exploitabilityScore": 3.9}], "cvssMetricV40": [{"type": "Secondary", "source": "disclosure@vulncheck.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 6.9, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-03-31T12:16:30.237", "references": [{"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-5m9r-p9g7-679c", "tags": ["Vendor Advisory"], "source": "disclosure@vulncheck.com"}, {"url": "https://www.vulncheck.com/advisories/openclaw-webhook-rate-limiting-bypass-via-pre-authentication-secret-validation", "tags": ["Third Party Advisory"], "source": "disclosure@vulncheck.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "disclosure@vulncheck.com", "description": [{"lang": "en", "value": "CWE-307"}]}], "descriptions": [{"lang": "en", "value": "OpenClaw before 2026.3.12 applies rate limiting only after successful webhook authentication, allowing attackers to bypass rate limits and brute-force webhook secrets. Attackers can submit repeated authentication requests with invalid secrets without triggering rate limit responses, enabling systematic secret guessing and subsequent forged webhook submission."}], "lastModified": "2026-04-02T12:22:44.273", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "B90EC1D8-4E2B-46AF-8E66-B689693A16CE", "versionEndExcluding": "2026.3.12"}], "operator": "OR"}]}], "sourceIdentifier": "disclosure@vulncheck.com"}