Duplicate Advisory: OpenClaw: Zalo replay dedupe keys could suppress messages across chats or senders

GHSA-6477-wvjj-47v6

Published Apr 24, 2026 · Modified May 7, 2026

Description

Duplicate Advisory

This advisory has been withdrawn because it is a duplicate of GHSA-rxmx-g7hr-8mx4. This link is maintained to preserve external references.

Original Description

OpenClaw before 2026.4.2 contains an insufficient scope vulnerability in Zalo webhook replay dedupe keys that allows legitimate events from different conversations or senders to collide. Attackers can exploit weak deduplication scoping to cause silent message suppression and disrupt bot workflows across chat sessions.

References

WEB https://github.com/openclaw/openclaw/security/advisories/GHSA-rxmx-g7hr-8mx4
ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2026-41354
WEB https://github.com/openclaw/openclaw/commit/ef7c553dd16ee579f1d1a363f5881a99726c1412
PACKAGE https://github.com/openclaw/openclaw
WEB https://www.vulncheck.com/advisories/openclaw-insufficient-scope-in-zalo-webhook-replay-dedupe-keys

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes