Lucene search
K

15 matches found

NVD
NVD
added 2026/04/28 12:16 a.m.7 views

CVE-2026-41362

OpenClaw versions 2026.2.19 before 2026.3.31 contain an improper cache isolation vulnerability in the Zalo webhook replay-dedupe mechanism that is shared across authenticated webhook targets. Attackers controlling one authenticated Zalo webhook path in multi-account deployments can suppress...

4.3CVSS0.00274EPSS
Exploits0References4
CVE
CVE
added 2026/04/27 11:24 p.m.12 views

CVE-2026-41362

OpenClaw 2026.2.19 up to 2026.3.31 is affected by an improper cache isolation in the Zalo webhook replay-dedupe mechanism shared across authenticated webhook targets. An attacker controlling one authenticated Zalo webhook path in multi-account deployments can suppress legitimate events on other a...

4.3CVSS5.3AI score0.00274EPSS
Exploits0References4Affected Software1
ATTACKERKB
ATTACKERKB
added 2026/04/27 11:24 p.m.8 views

CVE-2026-41362

OpenClaw versions 2026.2.19 before 2026.3.31 contain an improper cache isolation vulnerability in the Zalo webhook replay-dedupe mechanism that is shared across authenticated webhook targets. Attackers controlling one authenticated Zalo webhook path in multi-account deployments can suppress...

4.3CVSS5.3AI score0.00274EPSS
Exploits0References5Affected Software1
Cvelist
Cvelist
added 2026/04/27 11:24 p.m.29 views

CVE-2026-41362 OpenClaw 2026.2.19 through 2026.3.30 - Webhook Replay Dedupe Cache Event Suppression via Shared Authentication

OpenClaw versions 2026.2.19 before 2026.3.31 contain an improper cache isolation vulnerability in the Zalo webhook replay-dedupe mechanism that is shared across authenticated webhook targets. Attackers controlling one authenticated Zalo webhook path in multi-account deployments can suppress...

4.3CVSS0.00274EPSS
Exploits0References4
OSV
OSV
added 2026/04/24 12:31 a.m.3 views

GHSA-6477-WVJJ-47V6 Duplicate Advisory: OpenClaw: Zalo replay dedupe keys could suppress messages across chats or senders

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-rxmx-g7hr-8mx4. This link is maintained to preserve external references. Original Description OpenClaw before 2026.4.2 contains an insufficient scope vulnerability in Zalo webhook replay dedupe keys that allows...

6.3CVSS5.7AI score0.00278EPSS
Exploits0References5
NVD
NVD
added 2026/04/23 10:16 p.m.6 views

CVE-2026-41354

OpenClaw before 2026.4.2 contains an insufficient scope vulnerability in Zalo webhook replay dedupe keys that allows legitimate events from different conversations or senders to collide. Attackers can exploit weak deduplication scoping to cause silent message suppression and disrupt bot workflows...

6.3CVSS0.00278EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/04/23 12:0 a.m.6 views

PT-2026-34785

OpenClaw before 2026.4.2 contains an insufficient scope vulnerability in Zalo webhook replay dedupe keys that allows legitimate events from different conversations or senders to collide. Attackers can exploit weak deduplication scoping to cause silent message suppression and disrupt bot workflows...

6.3CVSS5.8AI score0.00278EPSS
Exploits0References5
OSV
OSV
added 2026/04/07 6:15 p.m.5 views

GHSA-RXMX-G7HR-8MX4 OpenClaw: Zalo replay dedupe keys could suppress messages across chats or senders

Summary Before OpenClaw 2026.4.2, Zalo webhook replay dedupe keys were not scoped strongly enough across chat and sender dimensions. Legitimate events from different conversations or senders could collide and be dropped as duplicates. Impact Cross-conversation or cross-sender collisions could cau...

6.3CVSS5.8AI score0.00278EPSS
Exploits0References5
Github Security Blog
Github Security Blog
added 2026/04/07 6:15 p.m.9 views

OpenClaw: Zalo replay dedupe keys could suppress messages across chats or senders

Summary Before OpenClaw 2026.4.2, Zalo webhook replay dedupe keys were not scoped strongly enough across chat and sender dimensions. Legitimate events from different conversations or senders could collide and be dropped as duplicates. Impact Cross-conversation or cross-sender collisions could cau...

6.3CVSS5.9AI score0.00278EPSS
Exploits0References5Affected Software1
OSV
OSV
added 2026/04/07 6:14 p.m.3 views

GHSA-FQRJ-M88P-QF3V OpenClaw: Zalo replay dedupe cache could suppress events across authenticated webhook targets

Summary Before OpenClaw 2026.3.31, the Zalo webhook replay-dedupe cache was shared across authenticated webhook targets and keyed too broadly. In multi-account deployments, a replay seen on one account could suppress a legitimate event on another account if eventname and messageid matched. Impact...

2.3CVSS5.8AI score
Exploits0References4
Github Security Blog
Github Security Blog
added 2026/04/07 6:14 p.m.7 views

OpenClaw: Zalo replay dedupe cache could suppress events across authenticated webhook targets

Summary Before OpenClaw 2026.3.31, the Zalo webhook replay-dedupe cache was shared across authenticated webhook targets and keyed too broadly. In multi-account deployments, a replay seen on one account could suppress a legitimate event on another account if eventname and messageid matched. Impact...

5.9AI score
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/03 11:8 p.m.10 views

OpenClaw's Nextcloud Talk webhook replay could trigger duplicate inbound processing

Summary When Nextcloud Talk webhook signing was valid, replayed requests could be accepted without durable replay suppression, allowing duplicate inbound processing after replay-window expiry or process restart. Details OpenClaw's Nextcloud Talk webhook path verified HMACsecret, random + body but...

6.5CVSS5.9AI score0.00267EPSS
Exploits0References5Affected Software1
OSV
OSV
added 2026/03/03 10:25 p.m.2 views

GHSA-GCJ7-R3HG-M7W6 OpenClaw's voice-call Twilio replay dedupe now bound to authenticated webhook identity

Summary The voice-call Twilio webhook path accepted replay/dedupe identity from unsigned request metadata i-twilio-idempotency-token, enabling replayed signed requests to bypass replay detection and manager dedupe by mutating only that header. Affected Packages / Versions - Package: openclaw npm ...

3.7CVSS6AI score
Exploits0References3
Github Security Blog
Github Security Blog
added 2026/03/03 10:25 p.m.10 views

OpenClaw's voice-call Twilio replay dedupe now bound to authenticated webhook identity

Summary The voice-call Twilio webhook path accepted replay/dedupe identity from unsigned request metadata i-twilio-idempotency-token, enabling replayed signed requests to bypass replay detection and manager dedupe by mutating only that header. Affected Packages / Versions - Package: openclaw npm ...

6AI score
Exploits0References3Affected Software1
Positive Technologies
Positive Technologies
added 2026/03/03 12:0 a.m.6 views

PT-2026-26224

Summary When Nextcloud Talk webhook signing was valid, replayed requests could be accepted without durable replay suppression, allowing duplicate inbound processing after replay-window expiry or process restart. Details OpenClaw's Nextcloud Talk webhook path verified HMACsecret, random + body but...

6.5CVSS5.8AI score0.00267EPSS
Exploits0References9
Rows per page
Query Builder