UNKNOWN npm
OpenClaw: Zalo replay dedupe keys could suppress messages across chats or senders
GHSA-rxmx-g7hr-8mx4 · CVE-2026-41354
Published · Modified
Description
Summary
Before OpenClaw 2026.4.2, Zalo webhook replay dedupe keys were not scoped strongly enough across chat and sender dimensions. Legitimate events from different conversations or senders could collide and be dropped as duplicates.
Impact
Cross-conversation or cross-sender collisions could cause silent message suppression and break bot workflows. This was an availability issue in webhook event processing.
Affected Packages / Versions
- Package:
openclaw(npm) - Affected versions:
<= 2026.4.1 - Patched versions:
>= 2026.4.2 - Latest published npm version:
2026.4.1
Fix Commit(s)
ef7c553dd16ee579f1d1a363f5881a99726c1412— scope Zalo webhook replay dedupe across the missing event dimensions
Release Process Note
The fix is present on main and is staged for OpenClaw 2026.4.2. Publish this advisory after the 2026.4.2 npm release is live.
Thanks @D0ub1e-D for reporting.
References
- WEB https://github.com/openclaw/openclaw/security/advisories/GHSA-rxmx-g7hr-8mx4
- ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2026-41354
- WEB https://github.com/openclaw/openclaw/commit/ef7c553dd16ee579f1d1a363f5881a99726c1412
- PACKAGE https://github.com/openclaw/openclaw
- WEB https://www.vulncheck.com/advisories/openclaw-insufficient-scope-in-zalo-webhook-replay-dedupe-keys
Ready to move
Start Securing
Free, no credit card | First findings in minutes