OpenClaw Missing Rate Limiting Vulnerability in Telegram Webhook Authentication Allows Brute-Force Attacks on Webhook Secrets
Vulnerability
A vulnerability in OpenClaw versions prior to 2026.3.25 allows for brute-force attacks on Telegram webhook secrets due to a lack of rate limiting in the authentication process. Attackers can repeatedly guess weak webhook secrets without any throttling, enabling systematic exploitation.
Impact
The vulnerability could lead to unauthorized access by allowing attackers to guess and potentially intercept or manipulate webhook communications through the use of a valid secret.
Reproduction
The vulnerability can be reproduced by sending a high volume of authentication requests to a Telegram webhook with a weak secret. This can be done by using a script or tool that automates the process of guessing secrets, taking advantage of the absence of rate limiting to try many guesses in a short period.
Remediation
Users can update to OpenClaw version 2026.3.25 or later, where this vulnerability has been patched.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.