CVE-2026-35646

MEDIUM CVSS 4.8 View on NVD ↗

Description

OpenClaw before 2026.3.25 contains a pre-authentication rate-limit bypass vulnerability in webhook token validation that allows attackers to brute-force weak webhook secrets. The vulnerability exists because invalid webhook tokens are rejected without throttling repeated authentication attempts, enabling attackers to guess weak tokens through rapid successive requests.

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

References

https://github.com/openclaw/openclaw/commit/0b4d07337467f4d40a0cc1ced83d45ceaec0863c
https://github.com/openclaw/openclaw/security/advisories/GHSA-mf5g-6r6f-ghhm
https://www.vulncheck.com/advisories/openclaw-pre-authentication-rate-limit-bypass-in-webhook-token-validation

Published: Apr 09, 2026 22:16 UTC Modified: Apr 09, 2026 22:16 UTC