CVE-2026-33580

MEDIUM EPSS 28.4%
Published Mar 31, 20263mo ago · Modified Jun 17, 20261w ago
6.3 CVSS 4.0
Medium
Find Similar
Published Mar 31, 2026 3mo ago
Last Modified Jun 17, 2026 1w ago

Description

OpenClaw before 2026.3.28 contains a missing rate limiting vulnerability in the Nextcloud Talk webhook authentication that allows attackers to brute-force weak shared secrets. Attackers who can reach the webhook endpoint can exploit this to forge inbound webhook events by repeatedly attempting authentication without throttling.

CVSS Details

Base Score
6.3
Exploitability
Impact
Vector string
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope X

Threat Intelligence

EPSS Exploit Probability
28.4% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-307

Affected Products 1

VendorProductVersionRange
openclawopenclaw* <2026.3.28

References 3

  • github.com https://github.com/openclaw/openclaw/commit/e403decb6e20091b5402780a7ccd2085f98aa3cd
    Patch
  • github.com https://github.com/openclaw/openclaw/security/advisories/GHSA-9528-x887-j2fp
    Vendor Advisory
  • vulncheck.com https://www.vulncheck.com/advisories/openclaw-brute-force-attack-via-missing-rate-limiting-on-webhook-shared-secret-authentication
    Third Party Advisory

Remediation

  • github.com https://github.com/openclaw/openclaw/commit/e403decb6e20091b5402780a7ccd2085f98aa3cd
    Patch