CVE-2026-41362
LOW
2,3
Source: [email protected]
Attack Vector: network
Attack Complexity: low
Privileges Required: low
User Interaction: none
Confidentiality: N/A
Integrity: N/A
Availability: N/A
MEDIUM
4,3
Source: [email protected]
Attack Vector: network
Attack Complexity: low
Privileges Required: low
User Interaction: none
Scope: unchanged
Confidentiality: none
Integrity: none
Availability: low
Description
AI Translation Available
OpenClaw versions 2026.2.19 before 2026.3.31 contain an improper cache isolation vulnerability in the Zalo webhook replay-dedupe mechanism that is shared across authenticated webhook targets. Attackers controlling one authenticated Zalo webhook path in multi-account deployments can suppress legitimate events on different accounts by matching event_name and message_id parameters.
668
Exposure of Resource to Wrong Sphere
DraftCommon Consequences
Security Scopes Affected:
Confidentiality
Integrity
Other
Potential Impacts:
Read Application Data
Modify Application Data
Varies By Context
Applicable Platforms
All platforms may be affected
Application
Openclaw by Openclaw
Version Range Affected
From
2026.2.19
(inclusive)
To
2026.3.31
(exclusive)
CPE Identifier
View Detailed Analysis
cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*
Common Platform Enumeration - Standardized vulnerability identification
https://github.com/openclaw/openclaw/commit/4d038bb242c11f39e45f6a4bde400e5fd42…
https://github.com/openclaw/openclaw/commit/7cea7c29705b188b464cc9cdc107c275b94…
https://github.com/openclaw/openclaw/security/advisories/GHSA-fqrj-m88p-qf3v
https://www.vulncheck.com/advisories/openclaw-webhook-replay-dedupe-cache-event…