CVE-2026-34508

The vulnerability resides in the Zalo webhook handler of OpenClaw versions up to 2026.3.11. Rate limiting was enforced only after webhook authentication succeeded, meaning requests with invalid secrets returned a 401 error but did not count against the rate limiter. This design flaw allowed attackers to bypass the intended throttling mechanism and make unlimited authentication attempts [3][4].

Exploitation does not require prior authentication or user interaction. An attacker can send a high volume of requests with guessed secrets directly to the webhook endpoint. Because the rate limiter is not triggered before secret validation, the attacker can perform a brute-force attack without encountering 429 rate-limit responses [4].

Successful brute-force of the webhook secret enables the attacker to submit forged Zalo webhook traffic. Depending on the webhook handling logic, this could lead to unauthorized operations such as message injection, data manipulation, or further system compromise [4].

The issue is fixed in OpenClaw version 2026.3.12, which moves the rate-limiting check to before authentication, closing the pre-auth gap. Users are strongly advised to update to the latest version and to choose strong, unpredictable webhook secrets [4].