{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/89796?format=json","vulnerability_id":"VCID-utv2-tyje-kfht","summary":"Duplicate Advisory: OpenClaw: BlueBubbles Webhook Missing Rate Limiting Enables Brute-Force Password Guessing\n## Duplicate Advisory\n\nThis advisory has been withdrawn because it is a duplicate of GHSA-xq8g-hgh6-87hv. This link is maintained to preserve external references.\n\n## Original Description\nOpenClaw before 2026.3.25 contains a missing rate limiting vulnerability in webhook authentication that allows attackers to brute-force weak webhook passwords without throttling. Remote attackers can repeatedly submit incorrect password guesses to the webhook endpoint to compromise authentication and gain unauthorized access.","aliases":[{"alias":"GHSA-rc8f-r29c-chr6"}],"fixed_packages":[],"affected_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/110567?format=json","purl":"pkg:npm/openclaw@2026.3.24","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1j3m-fecr-f7cn"},{"vulnerability":"VCID-1p3b-pfnn-x7ad"},{"vulnerability":"VCID-1p5p-eth5-3ufu"},{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-1smq-mbty-jkaj"},{"vulnerability":"VCID-24m7-jx1g-hqde"},{"vulnerability":"VCID-258k-a4dw-tfae"},{"vulnerability":"VCID-26kp-dbu2-pqej"},{"vulnerability":"VCID-26sg-e29u-hkf3"},{"vulnerability":"VCID-294z-6z8j-97bx"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2hca-3v8f-f3e8"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-2uqu-k42d-1baq"},{"vulnerability":"VCID-2v8n-mnws-jfc9"},{"vulnerability":"VCID-2wr9-h42m-a7ev"},{"vulnerability":"VCID-32zs-2zs9-uufs"},{"vulnerability":"VCID-356u-h788-pkgt"},{"vulnerability":"VCID-37ep-9smd-zuh9"},{"vulnerability":"VCID-38g8-39ek-xbat"},{"vulnerability":"VCID-3bdd-a9nw-13bn"},{"vulnerability":"VCID-3wsw-d4z2-dydt"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-3zx4-t8cj-kbfn"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4hz5-f2pw-3yb4"},{"vulnerability":"VCID-4jwj-6s5z-wbeq"},{"vulnerability":"VCID-4nwq-14y4-xkhp"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4uqc-3h1c-4yhs"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-5atj-2a7b-57g5"},{"vulnerability":"VCID-5dj5-mk23-kyds"},{"vulnerability":"VCID-5rgx-2krs-guck"},{"vulnerability":"VCID-66nc-bn98-nbas"},{"vulnerability":"VCID-6849-th74-yqd5"},{"vulnerability":"VCID-6bxd-kbse-sudx"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-733f-57ds-xugm"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7dyw-9b37-yqh4"},{"vulnerability":"VCID-7ntr-5dr5-9uf8"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-7wmr-v7zb-6fc9"},{"vulnerability":"VCID-7z2s-k6ty-ekg1"},{"vulnerability":"VCID-8uzb-xmf8-hbca"},{"vulnerability":"VCID-96jd-x87b-s3ey"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9uyu-y9qv-u7e1"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-9xrt-mv81-3yc8"},{"vulnerability":"VCID-9yxw-fj1c-tff9"},{"vulnerability":"VCID-a2p8-ydn6-3bbr"},{"vulnerability":"VCID-a2wx-7b8h-c3h1"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-acy1-83py-efhr"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-atn7-pn13-3fgb"},{"vulnerability":"VCID-axp9-mt9z-gkgw"},{"vulnerability":"VCID-aye6-1fwu-nkc5"},{"vulnerability":"VCID-b9w3-w2nq-cqg6"},{"vulnerability":"VCID-bg1d-gmxy-wkc6"},{"vulnerability":"VCID-bgwh-spue-yybk"},{"vulnerability":"VCID-bk76-1ctt-tkaw"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-bnfh-rsk9-cfea"},{"vulnerability":"VCID-bzw7-yvu2-yqa2"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-c4yt-z48z-zygv"},{"vulnerability":"VCID-c76v-4577-n7c6"},{"vulnerability":"VCID-carm-gpgh-wbbf"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-csnc-r6fv-j3en"},{"vulnerability":"VCID-cvmw-sxfq-dyhz"},{"vulnerability":"VCID-cwd3-ecym-sfaw"},{"vulnerability":"VCID-d864-qy75-c3dx"},{"vulnerability":"VCID-d8v2-gft5-buee"},{"vulnerability":"VCID-da47-zdf1-mfgf"},{"vulnerability":"VCID-dbcw-brhj-k7hs"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-djqx-bwuu-4uc1"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-fekn-d6f3-xfa6"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-g3hg-peh1-tudm"},{"vulnerability":"VCID-g8r6-x6s5-uydq"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-gvam-2net-8kc5"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hd4w-s3dp-nubj"},{"vulnerability":"VCID-hkqd-6khg-m3hj"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-j8fb-fhyc-33fu"},{"vulnerability":"VCID-j92n-5217-9bhj"},{"vulnerability":"VCID-jbwa-scg3-efeq"},{"vulnerability":"VCID-jdqk-kv8u-xqa9"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-k3up-1vdf-2uh9"},{"vulnerability":"VCID-k52b-966p-ybbk"},{"vulnerability":"VCID-k5da-7tht-w3bs"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kzgh-7f6h-kfd1"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mcz5-wgu1-z7g7"},{"vulnerability":"VCID-mggy-bv5s-5uax"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p7me-4bzz-83cm"},{"vulnerability":"VCID-p7v5-jqhq-nbhz"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pc9z-x5wk-8ue7"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-q6ne-sw1r-xkd1"},{"vulnerability":"VCID-q9jf-srt4-fbcg"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-qjss-tvgk-3ubk"},{"vulnerability":"VCID-qjvc-etb4-qbfv"},{"vulnerability":"VCID-r5bw-c2py-9udf"},{"vulnerability":"VCID-r9y1-z2ax-z3e2"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-s3wz-3yzf-ybhz"},{"vulnerability":"VCID-sja9-6t41-hud8"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-t991-75e7-ykdv"},{"vulnerability":"VCID-te8f-snty-j7hh"},{"vulnerability":"VCID-tf28-1z2z-5yfn"},{"vulnerability":"VCID-tk9h-nqrz-uugp"},{"vulnerability":"VCID-u1ru-vdfp-x3hu"},{"vulnerability":"VCID-u6hw-ffpj-4yd9"},{"vulnerability":"VCID-u9cw-crg5-1kbs"},{"vulnerability":"VCID-una1-gxkk-t3bp"},{"vulnerability":"VCID-utv2-tyje-kfht"},{"vulnerability":"VCID-uy97-p1ex-y7df"},{"vulnerability":"VCID-v9cd-65tf-p3f8"},{"vulnerability":"VCID-vfbb-bpy9-87ey"},{"vulnerability":"VCID-vktg-77tu-vycv"},{"vulnerability":"VCID-vm8g-hrvu-quhm"},{"vulnerability":"VCID-vqrj-z6tx-rff2"},{"vulnerability":"VCID-vtqt-bgz7-yub6"},{"vulnerability":"VCID-vv2u-u7mn-rfe1"},{"vulnerability":"VCID-vx5d-3d98-7kf3"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2rd-2j4p-gfgw"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-w58d-6veg-uugy"},{"vulnerability":"VCID-watb-49vx-yub1"},{"vulnerability":"VCID-wkye-je9r-1fba"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wx44-n3fr-skah"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-x4hn-ygbg-mkep"},{"vulnerability":"VCID-x794-wfnf-1ugf"},{"vulnerability":"VCID-x7uw-s9a6-fybd"},{"vulnerability":"VCID-xfgw-ua7r-abbr"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xpr3-hg3h-z3bz"},{"vulnerability":"VCID-xryt-a83q-q7et"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-xvhd-w4tv-tqhr"},{"vulnerability":"VCID-xz8s-hj5s-wfgj"},{"vulnerability":"VCID-xzg5-ren5-p7gw"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-y7sd-j9xn-qffs"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ykwt-tdpa-3bft"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-ynup-4v9e-tbh4"},{"vulnerability":"VCID-yp2w-pc58-9bf6"},{"vulnerability":"VCID-ywrn-52gx-f3ad"},{"vulnerability":"VCID-z7wa-tw2t-vqas"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-zac2-wjyt-27af"},{"vulnerability":"VCID-zb5t-hhkm-kfeh"},{"vulnerability":"VCID-zf3q-78js-k7ce"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zkum-rn42-yyfs"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.24"}],"references":[{"reference_url":"https://github.com/openclaw/openclaw/commit/5e08ce36d522a1c96df2bfe88e39303ae2643d92","reference_id":"","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/commit/5e08ce36d522a1c96df2bfe88e39303ae2643d92"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-xq8g-hgh6-87hv","reference_id":"","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-xq8g-hgh6-87hv"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-35623","reference_id":"","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-35623"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-brute-force-attack-via-missing-webhook-password-rate-limiting","reference_id":"","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.vulncheck.com/advisories/openclaw-brute-force-attack-via-missing-webhook-password-rate-limiting"},{"reference_url":"https://github.com/advisories/GHSA-rc8f-r29c-chr6","reference_id":"GHSA-rc8f-r29c-chr6","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-rc8f-r29c-chr6"}],"weaknesses":[{"cwe_id":307,"name":"Improper Restriction of Excessive Authentication Attempts","description":"The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame, making it more susceptible to brute force attacks."},{"cwe_id":937,"name":"OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities","description":"Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013."},{"cwe_id":1035,"name":"OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities","description":"Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017."}],"exploits":[],"severity_range_score":"4.0 - 6.9","exploitability":"0.5","weighted_severity":"6.2","risk_score":3.1,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-utv2-tyje-kfht"}