Description
OpenClaw before 2026.3.28 contains a webhook replay vulnerability in Plivo V3 signature verification that canonicalizes query ordering for signatures but hashes raw URLs for replay detection. Attackers can reorder query parameters to bypass replay cache detection and trigger duplicate voice-call processing with a captured valid signed webhook.
Published: 2026-04-28
Score: 8.2 High
EPSS: n/a
KEV: No
Impact: Duplicate Voice‑Call Replay
Action: Apply Patch
AI Analysis

Impact

OpenClaw versions prior to 2026.3.28 implement Plivo V3 signature verification that canonicalizes query ordering for the signature but performs replay detection by hashing the raw URL. This mismatch allows an attacker to capture a valid signed webhook, reorder its query parameters, and bypass the replay cache. The result is that the same voice‑call event can be processed multiple times, potentially creating unwanted calls, incurring costs, and disrupting service availability. The flaw is a classic replay attack and is associated with CWE‑325.

Affected Systems

The affected product is OpenClaw. All deployments running OpenClaw before version 2026.3.28 are vulnerable; no specific patch version is listed beyond the release 2026.3.28 that addresses the issue.

Risk and Exploitability

The CVSS score of 8.2 indicates high severity, but the EPSS score is not provided, so we cannot quantify the current likelihood of exploitation. The vulnerability is not listed in CISA KEV, meaning it has not yet been identified as a known exploited vulnerability in the field. Attackers would need to capture a valid signed webhook, a scenario that is feasible whenever Plivo V3 webhooks are exposed; the weakness can be exploited over the network by crafting a replayed request that appears legitimate because the signature still validates, but the canonicalization logic does not detect the duplicate request.

Generated by OpenCVE AI on April 28, 2026 at 23:02 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OpenClaw to version 2026.3.28 or later.
  • If an immediate upgrade is not possible, disable or remove Plivo V3 webhook endpoints until the patch is applied.
  • Implement server‑side replay validation by hashing the canonicalized request and rejecting repeats before initiating call processing.
  • Monitor incoming webhook traffic for repeated signatures or duplicated call events and investigate any anomalies promptly.

Generated by OpenCVE AI on April 28, 2026 at 23:02 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 28 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Description OpenClaw before 2026.3.28 contains a webhook replay vulnerability in Plivo V3 signature verification that canonicalizes query ordering for signatures but hashes raw URLs for replay detection. Attackers can reorder query parameters to bypass replay cache detection and trigger duplicate voice-call processing with a captured valid signed webhook.
Title OpenClaw < 2026.3.28 - Webhook Replay via Query Parameter Reordering in Plivo V3
First Time appeared Openclaw
Openclaw openclaw
Weaknesses CWE-325
CPEs cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*
Vendors & Products Openclaw
Openclaw openclaw
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N'}

cvssV4_0

{'score': 8.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Openclaw Openclaw
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-29T13:27:00.547Z

Reserved: 2026-04-20T14:13:45.349Z

Link: CVE-2026-41395

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-28T19:37:42.880

Modified: 2026-04-28T20:10:23.367

Link: CVE-2026-41395

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T23:15:43Z

Weaknesses