CVE-2026-41362
Cache Isolation Vulnerability in OpenClaw Zalo Webhook Allows Event Suppression
Publication date: 2026-04-28
Last updated on: 2026-04-28
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| openclaw | openclaw | From 2026.2.19 (inc) to 2026.3.31 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-668 | The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-41362 is a vulnerability in OpenClaw versions 2026.2.19 up to but not including 2026.3.31, specifically in the Zalo webhook replay-dedupe mechanism. The issue arises because the cache used to detect replayed webhook events is shared across authenticated webhook targets without proper isolation.
In multi-account deployments, an attacker who controls one authenticated Zalo webhook path can exploit this flaw to suppress legitimate events on other accounts by matching the event_name and message_id parameters. This happens because the deduplication cache keys are not scoped per account or webhook path, causing events from one account to block events from another.
The vulnerability is classified under CWE-668 (Exposure of Resource to Wrong Sphere) and has a low to medium severity rating. It was fixed by scoping the replay deduplication cache per authenticated target, ensuring that replay detection is isolated by both webhook path and account ID.
How can this vulnerability impact me? :
This vulnerability can impact you by causing legitimate webhook events to be silently suppressed or dropped if an attacker controls another authenticated webhook path within the same multi-account deployment.
Specifically, an attacker can replay events with the same event_name and message_id parameters on their controlled webhook path, which causes the shared deduplication cache to block those events from being processed on other accounts. This leads to loss of availability of legitimate events.
However, the vulnerability does not allow unauthorized data access or cross-account authentication bypass. The main impact is limited to availability, where some legitimate webhook events may not be delivered or processed.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in OpenClaw's Zalo webhook replay-dedupe mechanism primarily impacts availability by allowing attackers to suppress legitimate events across different accounts in multi-account deployments.
There is no indication from the provided information that this vulnerability leads to unauthorized data access, authentication bypass, or exposure of sensitive personal data.
Therefore, while it may affect the reliability and availability of event processing, it does not directly compromise confidentiality or integrity aspects that are critical for compliance with standards like GDPR or HIPAA.
As such, the vulnerability's impact on compliance with common data protection regulations is limited, since it does not involve data breaches or unauthorized data disclosure.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves identifying if your OpenClaw deployment is running a vulnerable version (from 2026.2.19 up to, but not including, 2026.3.31) and if the Zalo webhook replay-dedupe mechanism is improperly isolating cache across authenticated webhook targets.
Since the vulnerability relates to replay deduplication cache sharing across accounts, you can monitor webhook logs for suspicious event suppression or replay behavior, especially where events with the same event_name and message_id are unexpectedly dropped or suppressed across different accounts.
There are no explicit commands provided in the resources to detect the vulnerability directly on your network or system.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade OpenClaw to version 2026.3.31 or later, where the vulnerability has been fixed by scoping the webhook replay deduplication cache per authenticated target.
This fix ensures that replay deduplication keys include both the webhook path and the authenticated account ID, preventing cross-account event suppression.
If immediate upgrade is not possible, consider monitoring webhook event logs closely for signs of event suppression and restrict access to authenticated webhook paths to trusted parties only.