GHSA-8288-JPQP-95FX Duplicate Advisory: OpenClaw has Bypass in Webhook Rate Limiting via Pre-Authentication Secret Validation

Duplicate Advisory This advisory has been withdrawn because CVE-2026-34508 has been rejected as a duplicate of CVE-2026-34505. This link is maintained to preserve external references. Original Description OpenClaw before 2026.3.12 applies rate limiting only after webhook authentication succeeds,...

GHSA-CXFR-3QP8-HPMW Duplicate Advisory: OpenClaw: Zalo webhook rate limiting could be bypassed before secret validation

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-5m9r-p9g7-679c. This link is maintained to preserve external references. Original Description OpenClaw before 2026.3.12 applies rate limiting only after successful webhook authentication, allowing attackers to...

CVE-2026-34508

...

CVE-2026-34505

OpenClaw before 2026.3.12 has a rate-limiting flaw: limits are applied only after successful webhook authentication, allowing attackers to bypass rate limits by repeatedly submitting authentication requests with invalid secrets. This enables systematic guessing of webhook secrets and could lead t...

GHSA-XQ8G-HGH6-87HV OpenClaw: BlueBubbles Webhook Missing Rate Limiting Enables Brute-Force Password Guessing

Summary BlueBubbles Webhook Missing Guess Rate Limiting Enables Brute-Force Guessing of Weak Webhook Password Affected Packages / Versions - Package: openclaw - Affected versions: = 2026.3.24 - First patched version: 2026.3.25 - Latest published npm version at verification time: 2026.3.24 Details...