DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-VCX4-4QXG-MFP4: GHSA-VCX4-4QXG-MFP4: Missing Rate Limiting in OpenClaw Telegram Webhook Authentication

#security #cve #cybersecurity #ghsa

GHSA-VCX4-4QXG-MFP4: Missing Rate Limiting in OpenClaw Telegram Webhook Authentication

Vulnerability ID: GHSA-VCX4-4QXG-MFP4
CVSS Score: 2.3
Published: 2026-03-27

The OpenClaw npm package implements a Telegram bot extension that relies on webhooks to receive updates. In affected versions up to 2026.3.24, the application fails to implement rate limiting on the Telegram webhook authentication endpoint. This omission allows an unauthenticated, remote attacker to perform a brute-force attack against the x-telegram-bot-api-secret-token HTTP header. If the configured secret is weak or short, the attacker can systematically guess the token, bypass the authentication boundary, and submit forged webhook updates to execute unauthorized commands within the context of the bot application.

TL;DR

Missing rate limiting in OpenClaw's Telegram webhook handler allows attackers to brute-force the authentication secret and forge bot updates.

Technical Details

  • Vulnerability Class: Improper Restriction of Excessive Authentication Attempts (CWE-307)
  • CVSS v4.0 Score: 2.3 (Low)
  • Attack Vector: Network
  • Attack Complexity: High
  • Authentication: None Required
  • Impact: Unauthorized Command Execution via Spoofed Webhooks
  • Exploit Status: Unexploited / PoC Not Public

Affected Systems

  • OpenClaw <= 2026.3.24 (npm ecosystem)
  • openclaw: <= 2026.3.24 (Fixed in: 2026.3.25)

Code Analysis

Commit: c2c136a

Fix missing guess rate limiting on Telegram webhook authentication endpoint

Mitigation Strategies

  • Upgrade the openclaw package to version 2026.3.25 or higher.
  • Rotate the existing Telegram webhook secret to a high-entropy, long string.
  • Configure 'gateway.trustedProxies' correctly if running behind a reverse proxy to ensure accurate IP-based rate limiting.
  • Restrict network access to the webhook endpoint to known Telegram Bot API IP ranges using a firewall.

Remediation Steps:

  1. Run 'npm install openclaw@latest' to update to the patched version.
  2. Generate a new secure secret token (e.g., using 'openssl rand -hex 32').
  3. Update the bot configuration with the newly generated secret.
  4. Verify the application configuration sets 'gateway.trustedProxies' to include the IP addresses of any upstream load balancers or CDNs.
  5. Restart the OpenClaw service to apply the updated code and configuration.

References

Read the full report for GHSA-VCX4-4QXG-MFP4 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)