Medium severity4.8NVD Advisory· Published Apr 9, 2026· Updated Apr 15, 2026
CVE-2026-35646
CVE-2026-35646
Description
OpenClaw before 2026.3.25 contains a pre-authentication rate-limit bypass vulnerability in webhook token validation that allows attackers to brute-force weak webhook secrets. The vulnerability exists because invalid webhook tokens are rejected without throttling repeated authentication attempts, enabling attackers to guess weak tokens through rapid successive requests.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
openclawnpm | < 2026.3.28 | 2026.3.28 |
Affected products
2Patches
Vulnerability mechanics
References
5- github.com/openclaw/openclaw/commit/0b4d07337467f4d40a0cc1ced83d45ceaec0863cnvdPatchWEB
- github.com/advisories/GHSA-mf5g-6r6f-ghhmghsaADVISORY
- github.com/openclaw/openclaw/security/advisories/GHSA-mf5g-6r6f-ghhmnvdVendor AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2026-35646ghsaADVISORY
- www.vulncheck.com/advisories/openclaw-pre-authentication-rate-limit-bypass-in-webhook-token-validationnvdThird Party AdvisoryWEB
News mentions
0No linked articles in our index yet.