Description
OpenClaw before 2026.4.2 contains an insufficient scope vulnerability in Zalo webhook replay dedupe keys that allows legitimate events from different conversations or senders to collide. Attackers can exploit weak deduplication scoping to cause silent message suppression and disrupt bot workflows across chat sessions.
Published: 2026-04-23
Score: 6.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Service Disruption
Action: Update Application
AI Analysis

Impact

A logic flaw in OpenClaw’s handling of Zalo webhook replay deduplication keys allows legitimate events from distinct conversations or senders to collide. The collision suppresses messages silently, thereby disrupting bot workflows that rely on timely message delivery. The weakness is a CWE‑706 type authority and control flaw where the system fails to enforce adequate scope isolation for event deduplication.

Affected Systems

The affected product is OpenClaw, documented as OpenClaw:OpenClaw. Versions prior to 2026.4.2 are insecure; no other specific revisions are listed.

Risk and Exploitability

The CVSS score of 6.3 indicates moderate severity, while the EPSS score of less than 1% suggests low current exploitation probability. The vulnerability is not listed in CISA KEV. Exploitation requires an attacker to send crafted Zalo webhook events that share the deduplication key used by OpenClaw. Because the system does not enforce per‑conversation scoping, messages from different sources can be treated as duplicates, leading to silent loss of traffic. The likely attack vector is through unauthorized or manipulated webhook traffic, often feasible for an adversary who can intercept or inject requests in the communication channel.

Generated by OpenCVE AI on April 28, 2026 at 14:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to OpenClaw 2026.4.2 or later where the deduplication scope issue is fixed.
  • Enforce strict authentication and whitelisting on the Zalo webhook endpoint to limit which senders can submit events, reducing the chance of accidental key collision.
  • Implement monitoring for abnormal webhook activity and missing message deliveries so that any silent suppression can be detected and corrected promptly.

Generated by OpenCVE AI on April 28, 2026 at 14:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-rxmx-g7hr-8mx4 OpenClaw: Zalo replay dedupe keys could suppress messages across chats or senders
History

Thu, 23 Apr 2026 22:15:00 +0000

Type Values Removed Values Added
Description OpenClaw before 2026.4.2 contains an insufficient scope vulnerability in Zalo webhook replay dedupe keys that allows legitimate events from different conversations or senders to collide. Attackers can exploit weak deduplication scoping to cause silent message suppression and disrupt bot workflows across chat sessions.
Title OpenClaw < 2026.4.2 - Insufficient Scope in Zalo Webhook Replay Dedupe Keys
First Time appeared Openclaw
Openclaw openclaw
Weaknesses CWE-706
CPEs cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*
Vendors & Products Openclaw
Openclaw openclaw
References
Metrics cvssV3_1

{'score': 3.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L'}

cvssV4_0

{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Openclaw Openclaw
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-24T10:58:06.293Z

Reserved: 2026-04-20T14:07:26.648Z

Link: CVE-2026-41354

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-04-23T22:16:42.670

Modified: 2026-05-01T20:17:23.193

Link: CVE-2026-41354

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T14:45:16Z

Weaknesses