Description
OpenClaw before 2026.3.31 contains a scope bypass vulnerability in webhook replay cache deduplication that allows authenticated attackers to replay messages across sibling targets using the same messageId. Attackers can exploit overly broad cache keying to bypass replay protection and deliver duplicate webhook messages to unintended targets.
Published: 2026-04-28
Score: 2.3 Low
EPSS: n/a
KEV: No
Impact: Authenticated replay of webhook messages across sibling targets
Action: Patch
AI Analysis

Impact

OpenClaw prior to version 2026.3.31 allows authenticated attackers to bypass scope restrictions in the webhook replay cache. By leveraging the same messageId across different sibling targets, an attacker can trick the system into treating distinct webhook deliveries as duplicates and thus replay messages to unintended recipients. This flaw arises from overly broad cache keying and results in duplicate delivery rather than a traditional denial of service or data breach.

Affected Systems

OpenClaw technology, any installations using OpenClaw before release 2026.3.31 are vulnerable.

Risk and Exploitability

The CVSS score of 2.3 indicates low severity, and the EPSS score is not available, suggesting limited public exploitation data. The vulnerability is not listed in CISA KEV. Attackers would need valid authentication to the target system and the ability to send webhook requests with repeated messageIds in order to exploit the flaw.

Generated by OpenCVE AI on April 28, 2026 at 23:00 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to OpenClaw version 2026.3.31 or later, which removes the scope bypass in webhook replay cache.
  • Ensure that webhook integrations generate distinct messageIds for each target, preventing accidental cache key collisions.
  • If immediate upgrade is not possible, consider disabling or stripping the replay cache for external webhooks until a patch is applied.

Generated by OpenCVE AI on April 28, 2026 at 23:00 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 28 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Description OpenClaw before 2026.3.31 contains a scope bypass vulnerability in webhook replay cache deduplication that allows authenticated attackers to replay messages across sibling targets using the same messageId. Attackers can exploit overly broad cache keying to bypass replay protection and deliver duplicate webhook messages to unintended targets.
Title OpenClaw < 2026.3.31 - Webhook Replay Cache Cross-Target messageId Scope Bypass
First Time appeared Openclaw
Openclaw openclaw
Weaknesses CWE-706
CPEs cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*
Vendors & Products Openclaw
Openclaw openclaw
References
Metrics cvssV3_1

{'score': 4.2, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N'}

cvssV4_0

{'score': 2.3, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Openclaw Openclaw
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-29T13:17:50.747Z

Reserved: 2026-04-20T14:15:22.223Z

Link: CVE-2026-41402

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-28T19:37:43.690

Modified: 2026-04-28T20:10:23.367

Link: CVE-2026-41402

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T23:15:43Z

Weaknesses