Description
OpenClaw versions 2026.2.19 before 2026.3.31 contain an improper cache isolation vulnerability in the Zalo webhook replay-dedupe mechanism that is shared across authenticated webhook targets. Attackers controlling one authenticated Zalo webhook path in multi-account deployments can suppress legitimate events on different accounts by matching event_name and message_id parameters.
Published: 2026-04-27
Score: 2.3 Low
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Apply patch
AI Analysis

Impact

OpenClaw versions 2026.2.19 through 2026.3.30 contain an improper cache isolation flaw in the Zalo webhook replay-dedupe mechanism. When an attacker controls an authenticated Zalo webhook path in a multi‑account deployment, they can suppress legitimate events on other accounts by sending requests with matching event_name and message_id parameters. This suppression inhibits the normal flow of events, potentially disrupting notifications, workflow triggers, or other time‑sensitive actions, which constitutes a denial of service against the affected accounts.

Affected Systems

The affected system is OpenClaw, Inc. OpenClaw. Versions older than 2026.3.31, specifically those built from 2026.2.19 up to but not including 2026.3.31, are vulnerable.

Risk and Exploitability

The CVSS score of 2.3 indicates a low overall severity, and there is no EPSS data or KEV listing for this vulnerability, suggesting that it is not widely exploited. The attack requires an authenticated user with access to at least one webhook target in a shared environment; the attacker must then craft webhook requests that match the event and message identifiers used by other accounts. Because the flaw is triggered by normal webhook traffic rather than an explicit exploit payload, the risk is limited to environments that employ shared authentication across multiple accounts and rely on the Zalo replay-dedupe feature.

Generated by OpenCVE AI on April 28, 2026 at 12:45 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OpenClaw to version 2026.3.31 or later to apply the de‑duplication isolation fix
  • If an upgrade is not immediately possible, disable shared authentication for webhook endpoints or segment accounts so that each account has isolated webhook paths
  • Configure monitoring to detect repeated suppression of events by reviewing webhook logs for unusual patterns of missing or delayed events

Generated by OpenCVE AI on April 28, 2026 at 12:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 26 May 2026 13:45:00 +0000

Type Values Removed Values Added
Title OpenClaw 2026.2.19 < 2026.3.31 - Webhook Replay Dedupe Cache Event Suppression via Shared Authentication OpenClaw 2026.2.19 through 2026.3.30 - Webhook Replay Dedupe Cache Event Suppression via Shared Authentication

Tue, 28 Apr 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 27 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description OpenClaw versions 2026.2.19 before 2026.3.31 contain an improper cache isolation vulnerability in the Zalo webhook replay-dedupe mechanism that is shared across authenticated webhook targets. Attackers controlling one authenticated Zalo webhook path in multi-account deployments can suppress legitimate events on different accounts by matching event_name and message_id parameters.
Title OpenClaw 2026.2.19 < 2026.3.31 - Webhook Replay Dedupe Cache Event Suppression via Shared Authentication
First Time appeared Openclaw
Openclaw openclaw
Weaknesses CWE-668
CPEs cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*
Vendors & Products Openclaw
Openclaw openclaw
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L'}

cvssV4_0

{'score': 2.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Openclaw Openclaw
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-26T11:52:14.165Z

Reserved: 2026-04-20T14:09:02.629Z

Link: CVE-2026-41362

cve-icon Vulnrichment

Updated: 2026-04-28T12:43:56.625Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-28T00:16:25.087

Modified: 2026-04-28T18:46:41.267

Link: CVE-2026-41362

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T13:00:15Z

Weaknesses