{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-34508", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "state": "REJECTED", "assignerShortName": "VulnCheck", "dateReserved": "2026-03-30T13:51:47.549Z", "datePublished": "2026-03-31T11:17:22.065Z", "dateUpdated": "2026-04-01T13:50:32.608Z", "dateRejected": "2026-04-01T13:50:32.608Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-04-01T13:50:32.608Z"}, "rejectedReasons": [{"lang": "en", "value": "This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "This CVE ID has been rejected or withdrawn by its CVE Numbering Authority."}]}], "x_generator": {"engine": "Vulnogram 1.0.1"}}}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-34508", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "state": "REJECTED", "assignerShortName": "VulnCheck", "dateReserved": "2026-03-30T13:51:47.549Z", "datePublished": "2026-03-31T11:17:22.065Z", "dateUpdated": "2026-04-01T13:50:32.608Z", "dateRejected": "2026-04-01T13:50:32.608Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-04-01T13:50:32.608Z"}, "rejectedReasons": [{"lang": "en", "value": "This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "This CVE ID has been rejected or withdrawn by its CVE Numbering Authority."}]}], "x_generator": {"engine": "Vulnogram 1.0.1"}}}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority."}], "id": "CVE-2026-34508", "lastModified": "2026-04-01T14:16:53.820", "metrics": {}, "published": "2026-03-31T12:16:30.647", "references": [], "sourceIdentifier": "disclosure@vulncheck.com", "vulnStatus": "Rejected"}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,2026.3.12)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "2026.3.12"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "OpenClaw", "source": "cna", "vendor": "OpenClaw"}, "product": "openclaw", "vendor": "openclaw"}], "analysis": {"en": {"generated_at": "2026-03-31T12:22:47.216094+00:00", "value": {"mitigation_remediation": ["Apply the official patch by upgrading OpenClaw to version 2026.3.12 or later.", "If an upgrade is delayed, place an external rate limiter or firewall rule at the webhook URL to restrict request frequency regardless of authentication.", "Rotate any existing webhook secrets after the patch to prevent use of credentials that may have been discovered during the attack window.", "Monitor incoming webhook traffic for anomalous patterns, such as a high volume of authentication failures or suspicious payloads, and investigate promptly."], "summary": {"action": "Immediate Patch", "impact": "Rate Limiting Bypass / Brute-Force Webhook Secrets"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the OpenClaw application; all installations running OpenClaw version 2026.3.11 or earlier are impacted. There is no other product or vendor listed as affected in the CNA data.", "description_and_impact": "In OpenClaw versions before 2026.3.12 the rate limiting mechanism for webhook endpoints is applied only after a successful authentication. Because the check comes too late, an attacker can send many requests that fail authentication, never triggering a 429 response. This allows the attacker to repeatedly guess the secret key until the correct one is discovered and then use that valid credential to send forged Zalo webhook traffic. The weakness stems from insecure access control (CWE\u2011307) and results in unauthorized use of the webhook API.", "risk_and_exploitability": "The CVSS base score of 6.3 describes a medium severity flaw with potential for unauthorized access to the webhook interface. The EPSS score is not provided, and the vulnerability is not listed in CISA\u2019s KEV catalog, suggesting limited known exploitation to date. However, the attack vector is likely remote, as the webhook endpoint is accessible over the Internet. An attacker can launch the brute\u2011force attack from any location that can reach the webhook URL, and by bypassing the rate limiter the attack can be carried out with high frequency until the secret key is discovered. Overall the risk is moderate to high for systems that rely on the webhook for critical integrations and do not have additional rate limiting or firewall controls in place."}}}}, "created": "2026-03-31T19:55:00.165262+00:00", "updated": "2026-03-31T20:38:54.279812+00:00", "vendors": ["openclaw", "openclaw$PRODUCT$openclaw"]}