AI Threat Alert AI Threat Alert

GHSA-fqrj-m88p-qf3v: OpenClaw: cross-account webhook event suppression

GHSA-fqrj-m88p-qf3v LOW
Published April 7, 2026
CISO Take

OpenClaw's Zalo webhook integration maintained a replay-deduplication cache shared globally across all accounts in a multi-account gateway deployment, keyed only on event_name and message_id — allowing an attacker with a single authenticated webhook endpoint to silently suppress legitimate events destined for a different account on the same gateway. The blast radius is strictly limited to availability: there is no cross-account data access or authentication bypass, and exploitation requires the adversary to already hold an authenticated webhook path within the target gateway deployment. With no CVSS score assigned, no EPSS data, and no CISA KEV listing, active exploitation in the wild is considered unlikely, though the risk is most acute for organizations running high-density, multi-account OpenClaw deployments where silent event loss could cascade into broader agentic workflow failures. Upgrade to openclaw >= 2026.4.1 (npm), which includes both the initial scope-per-target fix from 2026.3.31 and follow-up hardening that additionally scopes replay deduplication by path and account.

Sources: GitHub Advisory ATLAS

Risk Assessment

Low risk overall. The vulnerability requires an attacker to already possess an authenticated Zalo webhook path within the same multi-account gateway — a meaningful precondition that significantly constrains the attack surface. Impact is confined to message suppression (availability only), with no confidentiality or integrity consequences confirmed. No CVSS vector, EPSS percentile, or KEV listing exists. Risk is elevated exclusively for organizations operating shared OpenClaw gateway deployments across multiple Zalo accounts where silent event loss could trigger downstream agentic failures without obvious alerting.

Affected Systems

Package Ecosystem Vulnerable Range Patched
openclaw npm >= 2026.2.19, < 2026.3.31 2026.3.31

Do you use openclaw? You're affected.

Severity & Risk

CVSS 3.1
N/A
EPSS
N/A
Exploitation Status
No known exploitation
Sophistication
Moderate

Recommended Action

  1. Upgrade openclaw (npm) to >= 2026.4.1 immediately — this version includes the initial per-target scoping fix from 2026.3.31 plus follow-up hardening that scopes replay deduplication by both path and account.
  2. If immediate upgrade is blocked, isolate each Zalo account to its own dedicated OpenClaw gateway instance as a temporary workaround to eliminate cross-account cache sharing.
  3. Audit webhook delivery logs for unexpected deduplication events that may indicate prior exploitation or silent event loss.
  4. Review all multi-account gateway configurations for shared caching or shared in-memory state that crosses account trust boundaries.

Classification

DoS Auth Bypass Agent AML.T0029 AML.T0034.002 AML.T0049

Compliance Impact

This CVE is relevant to:

ISO 42001
8.4 - AI system operation and monitoring
NIST AI RMF
MANAGE 2.4 - Residual risks are managed
OWASP LLM Top 10
LLM09 - Overreliance

Technical Details

NVD Description

## Summary Before OpenClaw 2026.3.31, the Zalo webhook replay-dedupe cache was shared across authenticated webhook targets and keyed too broadly. In multi-account deployments, a replay seen on one account could suppress a legitimate event on another account if `event_name` and `message_id` matched. ## Impact An attacker who controlled one authenticated Zalo webhook path in a multi-account gateway deployment could cause silent message suppression on a different Zalo account sharing that gateway. This was an availability issue; it did not provide cross-account authentication or data access. ## Affected Packages / Versions - Package: `openclaw` (npm) - Affected versions: `>= 2026.2.19, < 2026.3.31` - Patched versions: `>= 2026.3.31` - Latest published npm version: `2026.4.1` ## Fix Commit(s) - `4d038bb242c11f39e45f6a4bde400e5fd42e4ebf` — scope webhook replay dedupe per target - `7cea7c29705b188b464cc9cdc107c275b94b2a72` — follow-up hardening to scope replay dedupe by path and account ## Release Process Note The initial fix shipped in OpenClaw `2026.3.31` on March 31, 2026. The current published npm release `2026.4.1` from April 1, 2026 also contains follow-up hardening for the same surface. Thanks @nexrin for reporting.

Exploitation Scenario

An attacker operating a legitimate account in a shared multi-account OpenClaw gateway deployment observes the event_name and message_id patterns from their own Zalo webhook traffic to infer the structure used across the deployment. They then replay or craft webhook events with matching parameters through their own authenticated endpoint ahead of the target account's expected traffic. The shared dedupe cache marks those events as already processed, silently discarding the target account's legitimate incoming messages. In an AI agent context, this could suppress a critical trigger — for example, an approval message that would authorize an automated financial action or an alert that would activate a security response agent — with no error raised to the operator.

Weaknesses (CWE)

CWE-287 Improper Authentication Primary

References

Timeline

Published
April 7, 2026
Last Modified
April 7, 2026
First Seen
April 7, 2026

Related Vulnerabilities

CRITICAL CVE-2026-30741 9.8

OpenClaw: RCE via request-side prompt injection

Same package: openclaw
CRITICAL CVE-2026-28451 9.3

OpenClaw: SSRF via Feishu extension exposes internal services

Same package: openclaw
HIGH GHSA-m3mh-3mpg-37hw 8.6

OpenClaw: .npmrc hijack enables RCE on plugin install

Same package: openclaw
HIGH CVE-2026-27001 7.8

OpenClaw: prompt injection via unsanitized workspace path

Same package: openclaw
HIGH GHSA-hr5v-j9h9-xjhg 7.7

OpenClaw: sandbox escape via mediaUrl path traversal

Same package: openclaw
Back to Threat Feed