Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
6.9
Zalo Webhook Secret Guessing Made Easier in OpenClaw
GHSA-5m9r-p9g7-679c
Summary
A security issue in OpenClaw makes it easier for attackers to guess your Zalo webhook secret, potentially allowing them to send fake messages. This is fixed in version 2026.3.12, which you should update to. In the meantime, use strong secrets for your webhooks.
What to do
- Update openclaw to version 2026.3.12.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | openclaw | <= 2026.3.11 | 2026.3.12 |
Original title
OpenClaw: Zalo webhook rate limiting could be bypassed before secret validation
Original description
### Summary
The Zalo webhook handler applied request rate limiting only after webhook authentication succeeded. Requests with an invalid secret returned `401` but did not count against the rate limiter, allowing repeated secret guesses without triggering `429`.
### Impact
This made brute-force guessing materially easier for weak but policy-compliant webhook secrets. Once the secret was guessed, an attacker could submit forged Zalo webhook traffic.
### Affected versions
`openclaw` `<= 2026.3.11`
### Patch
Fixed in `openclaw` `2026.3.12`. Rate limiting now applies before successful authentication is required, closing the pre-auth brute-force gap. Users should update to `2026.3.12` or later and prefer strong webhook secrets.
The Zalo webhook handler applied request rate limiting only after webhook authentication succeeded. Requests with an invalid secret returned `401` but did not count against the rate limiter, allowing repeated secret guesses without triggering `429`.
### Impact
This made brute-force guessing materially easier for weak but policy-compliant webhook secrets. Once the secret was guessed, an attacker could submit forged Zalo webhook traffic.
### Affected versions
`openclaw` `<= 2026.3.11`
### Patch
Fixed in `openclaw` `2026.3.12`. Rate limiting now applies before successful authentication is required, closing the pre-auth brute-force gap. Users should update to `2026.3.12` or later and prefer strong webhook secrets.
ghsa CVSS4.0
6.9
Vulnerability type
CWE-307
- https://github.com/openclaw/openclaw/security/advisories/GHSA-5m9r-p9g7-679c
- https://github.com/openclaw/openclaw/pull/44173
- https://github.com/openclaw/openclaw/commit/f96ba87f033a14183fa0ede912df3a592eef...
- https://github.com/openclaw/openclaw/releases/tag/v2026.3.12
- https://github.com/advisories/GHSA-5m9r-p9g7-679c
Published: 13 Mar 2026 · Updated: 14 Mar 2026 · First seen: 13 Mar 2026