Improper Restriction of Excessive Authentication Attempts in OpenClaw - CVE-2026-34505

 

Improper Restriction of Excessive Authentication Attempts in OpenClaw - CVE-2026-34505

Published: April 8, 2026


Vulnerability identifier: #VU125158
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2026-34505
CWE-ID: CWE-307
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: OpenClaw
Affected software:
OpenClaw

Detailed vulnerability description

The vulnerability allows a remote attacker to forge Zalo webhook traffic.

The vulnerability exists due to improper restriction of excessive authentication attempts in the Zalo webhook handler when processing webhook requests with invalid secrets. A remote attacker can repeatedly guess the webhook secret to forge Zalo webhook traffic.

Requests with an invalid secret returned 401 responses but did not count against the rate limiter, so repeated guesses would not trigger 429 responses.


How to mitigate CVE-2026-34505

Install security update from vendor's website.

Sources