OpenClaw, Rate Limit Bypass, GHSA-5M9R-P9G7-679C (Moderate)

Listen to this Post

The vulnerability in OpenClaw versions up to `2026.3.11` resides in the order of operations within the Zalo webhook handler. The intended security measure of rate limiting was incorrectly implemented to trigger only after a request had successfully passed webhook authentication, which involves validating a secret. Consequently, requests that presented an invalid secret would be rejected with a `401 Unauthorized` status but would not increment the counter for the rate limiter. This created a logical gap where an attacker could send a high volume of requests with various secret guesses, receive `401` errors for each, and never be blocked by a `429 Too Many Requests` response. By bypassing the rate limiter, the effective difficulty of brute-forcing a weak, yet policy-compliant, webhook secret was materially reduced. The fix implemented in version `2026.3.12` closes this window by moving the rate limiting check to occur before the secret validation step, ensuring that all requests, regardless of their authentication outcome, count against the limit .

dailycve form:

Platform: OpenClaw
Version: <= 2026.3.11
Vulnerability : Rate limit bypass
Severity: Moderate
date: 2026-03-13

Prediction: Patch by 2026-03-13

What Undercode Say:

Analytics

The vulnerability is rooted in a common coding anti-pattern where expensive operations (rate limiting) are placed after authentication logic. This allows unauthenticated actors to consume server resources and perform brute-force attacks without constraint. The flaw, identified as CWE-307 (Improper Restriction of Excessive Authentication Attempts), specifically targets the Zalo webhook integration. Users running affected versions should prioritize upgrading to `2026.3.12` as the only reliable mitigation. The fix commit `f96ba87` demonstrates the shift of the rate limiter to the beginning of the request pipeline.

Check current OpenClaw version (example for npm-based installation)
npm list openclaw
Example of patching to the fixed version
npm install [email protected]
Verify the update
npm list openclaw | grep 2026.3.12

How Exploit

An attacker can exploit this by sending a high volume of POST requests to the vulnerable Zalo webhook endpoint. Each request contains a different guessed value for the webhook secret. The server processes each guess by attempting to validate the secret. Upon failure, it returns a `401` but does not log the attempt in the rate limiter’s memory. This allows the attacker to continue sending requests in a loop until the correct secret is discovered, effectively turning a rate-limited authentication mechanism into an unlimited brute-force challenge.

Example using curl to simulate a brute-force guess (simplified)
This request will return 401 but NOT count towards rate limit on vulnerable systems
curl -X POST https://target.com/zalo-webhook \
-H "Content-Type: application/json" \
-d '{"secret":"wrong_guess", "event":"test"}'
In a real exploit, this loop would run thousands of times without being blocked.

Protection from this CVE

The primary protection is to upgrade to OpenClaw version `2026.3.12` or later. The patch ensures rate limiting is applied pre-authentication, meaning every request, even those with invalid secrets, consumes a rate limit token. As a defense-in-depth measure, administrators should also ensure webhook secrets are strong and complex, making them resistant to brute-force attacks even if the rate limiter is bypassed. Network-level rate limiting at the firewall or load balancer can provide an additional layer of defense against IP-based flooding.

Example of applying network-level rate limiting with iptables (Linux)
Limit new connections to port 443 (HTTPS) to 10 per minute from a single IP
iptables -A INPUT -p tcp --dport 443 -m state --state NEW -m recent --set
iptables -A INPUT -p tcp --dport 443 -m state --state NEW -m recent --update --seconds 60 --hitcount 10 -j DROP

Impact

Successful exploitation of this vulnerability allows an attacker to brute-force the Zalo webhook secret. Once the secret is compromised, the attacker can forge legitimate-looking webhook traffic. This can lead to the injection of false events, data manipulation, or triggering of automated workflows within the OpenClaw system that rely on the authenticity of the webhook source, potentially compromising the integrity of the application’s data and logic .

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top