DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-5M9R-P9G7-679C: GHSA-5M9R-P9G7-679C: Rate Limit Bypass and Brute-Force Vulnerability in OpenClaw Zalo Webhook

#security #cve #cybersecurity #ghsa

GHSA-5M9R-P9G7-679C: Rate Limit Bypass and Brute-Force Vulnerability in OpenClaw Zalo Webhook

Vulnerability ID: GHSA-5M9R-P9G7-679C
CVSS Score: 5.3
Published: 2026-03-13

OpenClaw versions prior to 2026.3.12 contain a logic flaw in the Zalo webhook handler where rate limiting is applied after authentication validation. This allows unauthenticated attackers to bypass request throttling and conduct unbounded brute-force attacks against the webhook secret token.

TL;DR

A 'Check-Then-Limit' logic flaw in OpenClaw's Zalo webhook handler allows attackers to bypass rate limiting. Unauthenticated requests that fail authentication do not consume the rate limit budget, enabling rapid brute-force attacks to discover the webhook secret.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-307
  • Attack Vector: Network
  • CVSS v3.1: 5.3
  • Impact: Confidentiality (Partial)
  • Exploit Status: Proof of Concept (PoC)
  • CISA KEV: Not Listed

Affected Systems

  • npm/openclaw
  • OpenClaw Zalo Extension Webhook Handler
  • npm/openclaw: < 2026.3.12 (Fixed in: 2026.3.12)

Code Analysis

Commit: f96ba87

Fix rate limit bypass in Zalo webhook handler by applying rate limiting before authentication and resolving client IPs correctly.

Mitigation Strategies

  • Upgrade to the patched version of OpenClaw.
  • Implement edge-level rate limiting using a Web Application Firewall (WAF) or reverse proxy.
  • Rotate existing Zalo webhook secret tokens if unauthorized access or brute-force attempts are suspected.
  • Configure trusted proxies correctly within the application gateway settings to prevent IP spoofing.

Remediation Steps:

  1. Identify all deployments utilizing the npm/openclaw package.
  2. Update the package dependencies in package.json to require version 2026.3.12 or higher.
  3. Execute the package manager update command (e.g., npm install openclaw@^2026.3.12).
  4. Verify the trustedProxies configuration in the deployment environment maps accurately to the actual infrastructure proxy IPs.
  5. Restart the OpenClaw service to apply the updated logic.
  6. Generate new x-bot-api-secret-token values for the Zalo integration and update the provider accordingly.

References

Read the full report for GHSA-5M9R-P9G7-679C on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)