GHSA-5m9r-p9g7-679c
OpenClaw: Zalo webhook rate limiting could be bypassed before secret validation
Details
### Summary
The Zalo webhook handler applied request rate limiting only after webhook authentication succeeded. Requests with an invalid secret returned `401` but did not count against the rate limiter, allowing repeated secret guesses without triggering `429`.
### Impact
This made brute-force guessing materially easier for weak but policy-compliant webhook secrets. Once the secret was guessed, an attacker could submit forged Zalo webhook traffic.
### Affected versions
`openclaw` `<= 2026.3.11`
### Patch
Fixed in `openclaw` `2026.3.12`. Rate limiting now applies before successful authentication is required, closing the pre-auth brute-force gap. Users should update to `2026.3.12` or later and prefer strong webhook secrets.
Are you affected?
Enter the version of the package you're using.
Affected packages
References
- https://github.com/openclaw/openclaw/security/advisories/GHSA-5m9r-p9g7-679c [WEB]
- https://nvd.nist.gov/vuln/detail/CVE-2026-34505 [ADVISORY]
- https://github.com/openclaw/openclaw/pull/44173 [WEB]
- https://github.com/openclaw/openclaw/commit/f96ba87f033a14183fa0ede912df3a592eef55ff [WEB]
- https://github.com/openclaw/openclaw [PACKAGE]
- https://github.com/openclaw/openclaw/releases/tag/v2026.3.12 [WEB]
- https://www.vulncheck.com/advisories/openclaw-webhook-rate-limiting-bypass-via-pre-authentication-secret-validation [WEB]