VulnerableCode Vulnerability Details

Staging Environment: Content and features may be unstable or change without notice.

Search for vulnerabilities

Vulnerability details: VCID-86wa-z59e-xqgu

Essentials
Severities (24)
References (7)
Severity details (20)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-86wa-z59e-xqgu
Aliases	CVE-2026-35623 GHSA-xq8g-hgh6-87hv
Summary	OpenClaw before 2026.3.25 contains a missing rate limiting vulnerability in webhook authentication that allows attackers to brute-force weak webhook passwords without throttling. Remote attackers can repeatedly submit incorrect password guesses to the webhook endpoint to compromise authentication and gain unauthorized access.
Status	Published
Exploitability	0.5
Weighted Severity	6.2
Risk	3.1
Affected and Fixed Packages	Package Details

Weaknesses (4)

CWE-307	Improper Restriction of Excessive Authentication Attempts
CWE-521	Weak Password Requirements
CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities

System	Score	Found at
epss	0.00108	https://api.first.org/data/v1/epss?cve=CVE-2026-35623
epss	0.00108	https://api.first.org/data/v1/epss?cve=CVE-2026-35623
epss	0.00108	https://api.first.org/data/v1/epss?cve=CVE-2026-35623
epss	0.00108	https://api.first.org/data/v1/epss?cve=CVE-2026-35623
cvssv3.1_qr	MODERATE	https://github.com/advisories/GHSA-xq8g-hgh6-87hv
cvssv3.1	4.8	https://github.com/openclaw/openclaw
cvssv4	6.3	https://github.com/openclaw/openclaw
generic_textual	MODERATE	https://github.com/openclaw/openclaw
cvssv3.1	4.8	https://github.com/openclaw/openclaw/commit/5e08ce36d522a1c96df2bfe88e39303ae2643d92
cvssv4	6.3	https://github.com/openclaw/openclaw/commit/5e08ce36d522a1c96df2bfe88e39303ae2643d92
generic_textual	MODERATE	https://github.com/openclaw/openclaw/commit/5e08ce36d522a1c96df2bfe88e39303ae2643d92
ssvc	Track	https://github.com/openclaw/openclaw/commit/5e08ce36d522a1c96df2bfe88e39303ae2643d92
cvssv3.1	4.8	https://github.com/openclaw/openclaw/security/advisories/GHSA-xq8g-hgh6-87hv
cvssv3.1_qr	MODERATE	https://github.com/openclaw/openclaw/security/advisories/GHSA-xq8g-hgh6-87hv
cvssv4	6.3	https://github.com/openclaw/openclaw/security/advisories/GHSA-xq8g-hgh6-87hv
generic_textual	MODERATE	https://github.com/openclaw/openclaw/security/advisories/GHSA-xq8g-hgh6-87hv
ssvc	Track	https://github.com/openclaw/openclaw/security/advisories/GHSA-xq8g-hgh6-87hv
cvssv3.1	4.8	https://nvd.nist.gov/vuln/detail/CVE-2026-35623
cvssv4	6.3	https://nvd.nist.gov/vuln/detail/CVE-2026-35623
generic_textual	MODERATE	https://nvd.nist.gov/vuln/detail/CVE-2026-35623
cvssv3.1	4.8	https://www.vulncheck.com/advisories/openclaw-brute-force-attack-via-missing-webhook-password-rate-limiting
cvssv4	6.3	https://www.vulncheck.com/advisories/openclaw-brute-force-attack-via-missing-webhook-password-rate-limiting
generic_textual	MODERATE	https://www.vulncheck.com/advisories/openclaw-brute-force-attack-via-missing-webhook-password-rate-limiting
ssvc	Track	https://www.vulncheck.com/advisories/openclaw-brute-force-attack-via-missing-webhook-password-rate-limiting

Reference id	Reference type	URL
		https://api.first.org/data/v1/epss?cve=CVE-2026-35623
		https://github.com/openclaw/openclaw
		https://nvd.nist.gov/vuln/detail/CVE-2026-35623
5e08ce36d522a1c96df2bfe88e39303ae2643d92		https://github.com/openclaw/openclaw/commit/5e08ce36d522a1c96df2bfe88e39303ae2643d92
GHSA-xq8g-hgh6-87hv		https://github.com/advisories/GHSA-xq8g-hgh6-87hv
GHSA-xq8g-hgh6-87hv		https://github.com/openclaw/openclaw/security/advisories/GHSA-xq8g-hgh6-87hv
openclaw-brute-force-attack-via-missing-webhook-password-rate-limiting		https://www.vulncheck.com/advisories/openclaw-brute-force-attack-via-missing-webhook-password-rate-limiting

No exploits are available.

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N Found at https://github.com/openclaw/openclaw

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N Found at https://github.com/openclaw/openclaw

Attack Vector (AV)	Attack Complexity (AC)	Attack Requirements (AT)	Privileges Required (PR)	User Interaction (UI)	Vulnerable System Impact Confidentiality (VC)	Vulnerable System Impact Integrity (VI)	Vulnerable System Impact Availability (VA)	Subsequent System Impact Confidentiality (SC)	Subsequent System Impact Integrity (SI)	Subsequent System Impact Availability (SA)
network adjacent local physical	low high	none present	none low high	none passive active	high low none	high low none	high low none	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Attack Requirements (AT)

Privileges Required (PR)

User Interaction (UI)

Vulnerable System Impact Confidentiality (VC)

Vulnerable System Impact Integrity (VI)

Vulnerable System Impact Availability (VA)

Subsequent System Impact Confidentiality (SC)

Subsequent System Impact Integrity (SI)

Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N Found at https://github.com/openclaw/openclaw/commit/5e08ce36d522a1c96df2bfe88e39303ae2643d92

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N Found at https://github.com/openclaw/openclaw/commit/5e08ce36d522a1c96df2bfe88e39303ae2643d92

Attack Vector (AV)	Attack Complexity (AC)	Attack Requirements (AT)	Privileges Required (PR)	User Interaction (UI)	Vulnerable System Impact Confidentiality (VC)	Vulnerable System Impact Integrity (VI)	Vulnerable System Impact Availability (VA)	Subsequent System Impact Confidentiality (SC)	Subsequent System Impact Integrity (SI)	Subsequent System Impact Availability (SA)
network adjacent local physical	low high	none present	none low high	none passive active	high low none	high low none	high low none	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Attack Requirements (AT)

Privileges Required (PR)

User Interaction (UI)

Vulnerable System Impact Confidentiality (VC)

Vulnerable System Impact Integrity (VI)

Vulnerable System Impact Availability (VA)

Subsequent System Impact Confidentiality (SC)

Subsequent System Impact Integrity (SI)

Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-10T15:52:54Z/ Found at https://github.com/openclaw/openclaw/commit/5e08ce36d522a1c96df2bfe88e39303ae2643d92

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N Found at https://github.com/openclaw/openclaw/security/advisories/GHSA-xq8g-hgh6-87hv

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N Found at https://github.com/openclaw/openclaw/security/advisories/GHSA-xq8g-hgh6-87hv

Attack Vector (AV)	Attack Complexity (AC)	Attack Requirements (AT)	Privileges Required (PR)	User Interaction (UI)	Vulnerable System Impact Confidentiality (VC)	Vulnerable System Impact Integrity (VI)	Vulnerable System Impact Availability (VA)	Subsequent System Impact Confidentiality (SC)	Subsequent System Impact Integrity (SI)	Subsequent System Impact Availability (SA)
network adjacent local physical	low high	none present	none low high	none passive active	high low none	high low none	high low none	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Attack Requirements (AT)

Privileges Required (PR)

User Interaction (UI)

Vulnerable System Impact Confidentiality (VC)

Vulnerable System Impact Integrity (VI)

Vulnerable System Impact Availability (VA)

Subsequent System Impact Confidentiality (SC)

Subsequent System Impact Integrity (SI)

Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-10T15:52:54Z/ Found at https://github.com/openclaw/openclaw/security/advisories/GHSA-xq8g-hgh6-87hv

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2026-35623

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N Found at https://nvd.nist.gov/vuln/detail/CVE-2026-35623

Attack Vector (AV)	Attack Complexity (AC)	Attack Requirements (AT)	Privileges Required (PR)	User Interaction (UI)	Vulnerable System Impact Confidentiality (VC)	Vulnerable System Impact Integrity (VI)	Vulnerable System Impact Availability (VA)	Subsequent System Impact Confidentiality (SC)	Subsequent System Impact Integrity (SI)	Subsequent System Impact Availability (SA)
network adjacent local physical	low high	none present	none low high	none passive active	high low none	high low none	high low none	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Attack Requirements (AT)

Privileges Required (PR)

User Interaction (UI)

Vulnerable System Impact Confidentiality (VC)

Vulnerable System Impact Integrity (VI)

Vulnerable System Impact Availability (VA)

Subsequent System Impact Confidentiality (SC)

Subsequent System Impact Integrity (SI)

Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N Found at https://www.vulncheck.com/advisories/openclaw-brute-force-attack-via-missing-webhook-password-rate-limiting

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N Found at https://www.vulncheck.com/advisories/openclaw-brute-force-attack-via-missing-webhook-password-rate-limiting

Attack Vector (AV)	Attack Complexity (AC)	Attack Requirements (AT)	Privileges Required (PR)	User Interaction (UI)	Vulnerable System Impact Confidentiality (VC)	Vulnerable System Impact Integrity (VI)	Vulnerable System Impact Availability (VA)	Subsequent System Impact Confidentiality (SC)	Subsequent System Impact Integrity (SI)	Subsequent System Impact Availability (SA)
network adjacent local physical	low high	none present	none low high	none passive active	high low none	high low none	high low none	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Attack Requirements (AT)

Privileges Required (PR)

User Interaction (UI)

Vulnerable System Impact Confidentiality (VC)

Vulnerable System Impact Integrity (VI)

Vulnerable System Impact Availability (VA)

Subsequent System Impact Confidentiality (SC)

Subsequent System Impact Integrity (SI)

Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-10T15:52:54Z/ Found at https://www.vulncheck.com/advisories/openclaw-brute-force-attack-via-missing-webhook-password-rate-limiting

Exploit Prediction Scoring System (EPSS)

Percentile	0.28542
EPSS Score	0.00108
Published At	June 11, 2026, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2026-06-11T16:45:05.142242+00:00	Vulnrichment	Import	https://github.com/cisagov/vulnrichment/blob/develop/2026/35xxx/CVE-2026-35623.json	38.6.0