OpenClaw Webhook Authentication Rate Limiting Vulnerability Allowing Brute-Force Attacks
Vulnerability
A missing rate limiting vulnerability has been identified in OpenClaw versions prior to 2026.3.25, specifically within the webhook authentication process. This vulnerability allows remote attackers to brute-force weak webhook passwords without any throttling. By repeatedly sending incorrect password guesses to the webhook endpoint, attackers can bypass authentication and gain unauthorized access.
Impact
Exploitation of this vulnerability allows for unauthorized access through successful brute-force guessing of weak webhook passwords.
Reproduction
The vulnerability can be reproduced by sending repeated incorrect password guesses to the webhook endpoint. This can be done manually or automated with a script, taking advantage of the absence of rate limiting on authentication attempts. The same client IP can be used for all attempts, as the lack of throttling allows for rapid guessing without delay.
Remediation
Users can update to OpenClaw version 2026.3.25 or later, where this vulnerability has been patched.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.