Description
OpenClaw before 2026.3.23 contains a replay identity vulnerability in Plivo V2 signature verification that allows attackers to bypass replay protection by modifying query parameters. The verification path derives replay keys from the full URL including query strings instead of the canonicalized base URL, enabling attackers to mint new verified request keys through unsigned query-only changes to signed requests.
Published: 2026-04-09
Score: 8.3 High
EPSS: n/a
KEV: No
Impact: Replay protection bypass enabling forged or duplicated requests
Action: Immediate Patch
AI Analysis

Impact

OpenClaw versions prior to 2026.23 incorrectly compute replay keys by incorporating the entire query string of signed requests instead of using only the base URL. This flaw, which falls under authentication bypass weaknesses, allows an attacker to modify unsigned query parameters and create a new replay key that the system accepts. The consequence is a bypass of the replay protection mechanism, giving an adversary the ability to forge or replay authenticated requests, thereby compromising request integrity and potentially enabling unauthorized actions.

Affected Systems

The vulnerability affects the OpenClaw application distributed as a Node.js package. All installations running any release before 2026.3.23 are susceptible, regardless of operating environment, as the issue resides within the OpenClaw code base referenced by its CPE taxonomy.

Risk and Exploitability

The CVSS score of 8.3 marks this flaw as high severity. EPSS data is not available and the vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that the attack vector is remote, requiring only the ability to send HTTP requests to the target service. An attacker can generate a valid replay key by altering query strings in signed requests, without knowledge of secret keys, and replay or modify requests with assurance of authentication acceptance.

Generated by OpenCVE AI on April 9, 2026 at 22:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the OpenClaw update to version 2026.3.23 or later to fix replay key derivation
  • Verify the application is running the patched version before exposing it to external traffic
  • If an immediate update is not possible, disable Plivo V2 signature verification or restrict access to the affected endpoints until the patch is applied

Generated by OpenCVE AI on April 9, 2026 at 22:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 09 Apr 2026 21:45:00 +0000

Type Values Removed Values Added
Description OpenClaw before 2026.3.23 contains a replay identity vulnerability in Plivo V2 signature verification that allows attackers to bypass replay protection by modifying query parameters. The verification path derives replay keys from the full URL including query strings instead of the canonicalized base URL, enabling attackers to mint new verified request keys through unsigned query-only changes to signed requests.
Title OpenClaw < 2026.3.23 - Replay Identity Drift via Query-Only Variants in Plivo V2 Verification
First Time appeared Openclaw
Openclaw openclaw
Weaknesses CWE-294
CPEs cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*
Vendors & Products Openclaw
Openclaw openclaw
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N'}

cvssV4_0

{'score': 8.3, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Openclaw Openclaw
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-10T12:33:14.731Z

Reserved: 2026-04-04T12:28:49.756Z

Link: CVE-2026-35618

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-09T22:16:30.143

Modified: 2026-04-09T22:16:30.143

Link: CVE-2026-35618

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-10T09:28:41Z

Weaknesses