CVE-2026-41354
LOWOpenClaw < 2026.4.2 - Insufficient Scope in Zalo Webhook Replay Dedupe Keys
Title source: cnaDescription
OpenClaw before 2026.4.2 contains an insufficient scope vulnerability in Zalo webhook replay dedupe keys that allows legitimate events from different conversations or senders to collide. Attackers can exploit weak deduplication scoping to cause silent message suppression and disrupt bot workflows across chat sessions.
References (3)
Core 3
Core References
Vendor Advisory vendor-advisory
GitHub Security Advisory (GHSA-rxmx-g7hr-8mx4)
https://github.com/openclaw/openclaw/security/advisories/GHSA-rxmx-g7hr-8mx4
Patch patch
Patch Commit
https://github.com/openclaw/openclaw/commit/ef7c553dd16ee579f1d1a363f5881a99726c1412
Third Party Advisory third-party-advisory
VulnCheck Advisory: OpenClaw < 2026.4.2 - Insufficient Scope in Zalo Webhook Replay Dedupe Keys
https://www.vulncheck.com/advisories/openclaw-insufficient-scope-in-zalo-webhook-replay-dedupe-keys
Scores
CVSS v3
3.7
EPSS
0.0028
EPSS Percentile
19.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-706
Status
published
Products (4)
npm/openclaw
0 - 2026.4.2npm
OpenClaw/OpenClaw
< 2026.4.2
openclaw/openclaw
< 2026.4.2
OpenClaw/OpenClaw
2026.4.2
Published
Apr 23, 2026
Tracked Since
Apr 24, 2026