GHSA-vcx4-4qxg-mfp4
Suggest an improvement- Source
- https://github.com/advisories/GHSA-vcx4-4qxg-mfp4
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-vcx4-4qxg-mfp4/GHSA-vcx4-4qxg-mfp4.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-vcx4-4qxg-mfp4
- Aliases
-
- CVE-2026-35628
- Downstream
- Published
- 2026-03-27T22:37:35Z
- Modified
- 2026-04-18T01:05:36.242936Z
- Severity
-
- 4.8 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N CVSS Calculator
- 6.3 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- OpenClaw: Telegram Webhook Missing Guess Rate Limiting Enables Brute-Force Guessing of Weak Webhook Secret
- Details
-
Summary
Telegram Webhook Missing Guess Rate Limiting Enables Brute-Force Guessing of Weak Webhook Secret
Affected Packages / Versions
- Package:
openclaw - Affected versions:
<= 2026.3.24 - First patched version:
2026.3.25 - Latest published npm version at verification time:
2026.3.24
Details
Telegram webhook auth previously rejected bad secrets but did not throttle repeated guesses, allowing brute-force attempts against weak webhook secrets. Commit
c2c136ae9517ddd0789d742a0fdf4c10e8c729a7adds repeated-guess throttling before auth failure responses.Verified vulnerable on tag
v2026.3.24and fixed onmainby commitc2c136ae9517ddd0789d742a0fdf4c10e8c729a7.Fix Commit(s)
c2c136ae9517ddd0789d742a0fdf4c10e8c729a7
Release Process Note
2026.3.25is the next planned OpenClaw release version inpackage.json. This advisory is being published ahead of that npm release so the draft is no longer blocked; once2026.3.25is published, the structured patched-version metadata will match the released artifact. - Package:
- Database specific
{ "severity": "MODERATE", "cwe_ids": [ "CWE-307", "CWE-521" ], "github_reviewed": true, "github_reviewed_at": "2026-03-27T22:37:35Z", "nvd_published_at": null }- References
-
- https://github.com/openclaw/openclaw/security/advisories/GHSA-vcx4-4qxg-mfp4
- https://nvd.nist.gov/vuln/detail/CVE-2026-35628
- https://github.com/openclaw/openclaw/commit/c2c136ae9517ddd0789d742a0fdf4c10e8c729a7
- https://github.com/openclaw/openclaw
- https://www.vulncheck.com/advisories/openclaw-brute-force-attack-via-missing-telegram-webhook-rate-limiting
Affected packages
npm / openclaw
Package
- Name
- openclaw
- View open source insights on deps.dev
- Purl
- pkg:npm/openclaw