AI Threat Alert AI Threat Alert

GHSA-rxmx-g7hr-8mx4: OpenClaw: Zalo webhook dedup collision silently drops events

GHSA-rxmx-g7hr-8mx4 MEDIUM
Published April 7, 2026
CISO Take

OpenClaw versions up to 2026.4.1 contain a logic flaw in Zalo webhook deduplication where keys are not properly scoped across conversation and sender dimensions, allowing legitimate events from different conversations or senders to collide and be silently discarded. For AI agent deployments using OpenClaw as a Zalo bot framework, this translates to bot workflows silently failing — commands go unprocessed with no error surfaced, making the failure mode difficult to detect in production until workflows visibly break. There is no active exploitation (not in CISA KEV), no public exploit code, and EPSS data is unavailable; however, the silent nature of the failure elevates operational risk well above what a medium CVSS alone would suggest for agentic pipelines where every event must be processed. Teams running OpenClaw-based Zalo bots should upgrade to 2026.4.2 immediately and audit webhook logs for unexplained event gaps.

Sources: GitHub Advisory ATLAS

Risk Assessment

Medium risk overall, but elevated operational concern for AI agent deployments dependent on Zalo webhook reliability. The flaw is an availability-only issue with no direct confidentiality or integrity impact under passive conditions. However, the collision can be deliberately triggered by an adversary with Zalo messaging access to the same bot, making it exploitable as a targeted DoS against specific bot workflows. The silent failure mode is the key risk multiplier: dropped events produce no error logs, making impact invisible until audited manually. With 37 other CVEs in the same package ecosystem, the package's security posture warrants additional scrutiny beyond this individual vulnerability.

Affected Systems

Package Ecosystem Vulnerable Range Patched
openclaw npm <= 2026.4.1 2026.4.2

Do you use openclaw? You're affected.

Severity & Risk

CVSS 3.1
N/A
EPSS
N/A
Exploitation Status
No known exploitation
Sophistication
Moderate

Recommended Action

  1. Upgrade openclaw to version 2026.4.2 or later — this is the only complete fix, as it properly scopes deduplication keys across conversation and sender dimensions.
  2. Prior to upgrading, audit webhook event logs for unexpected gaps in message sequences or anomalously low event volumes from active Zalo conversations.
  3. As a compensating control before patching, implement application-level sequence tracking (e.g., monotonic message IDs or timestamps) to detect and alert on dropped events.
  4. Validate the upgrade in a staging environment with realistic multi-conversation Zalo traffic before deploying to production bots.
  5. Review the broader openclaw dependency given 37 CVEs in this package — assess whether continued use is appropriate for your risk tolerance.

Classification

DoS Agent API AML.T0029 AML.T0053

Compliance Impact

This CVE is relevant to:

EU AI Act
Article 9 - Risk management system
ISO 42001
8.4 - AI system operation and monitoring
NIST AI RMF
MANAGE 4.1 - Residual risks and incidents

Technical Details

NVD Description

## Summary Before OpenClaw 2026.4.2, Zalo webhook replay dedupe keys were not scoped strongly enough across chat and sender dimensions. Legitimate events from different conversations or senders could collide and be dropped as duplicates. ## Impact Cross-conversation or cross-sender collisions could cause silent message suppression and break bot workflows. This was an availability issue in webhook event processing. ## Affected Packages / Versions - Package: `openclaw` (npm) - Affected versions: `<= 2026.4.1` - Patched versions: `>= 2026.4.2` - Latest published npm version: `2026.4.1` ## Fix Commit(s) - `ef7c553dd16ee579f1d1a363f5881a99726c1412` — scope Zalo webhook replay dedupe across the missing event dimensions ## Release Process Note The fix is present on `main` and is staged for OpenClaw `2026.4.2`. Publish this advisory after the `2026.4.2` npm release is live. Thanks @D0ub1e-D for reporting.

Exploitation Scenario

An adversary with a Zalo account interacting with an OpenClaw-powered bot can send a high-frequency stream of messages crafted to collide with the deduplication keys of legitimate events from other conversations or users. By flooding the dedup cache with colliding keys, the attacker causes the bot to silently discard incoming commands from targeted conversations without any error being raised. In a multi-tenant deployment — such as a customer-facing bot shared across multiple Zalo groups — one malicious participant could disrupt event delivery for all other conversations, selectively silencing bot responses to legitimate users while the platform shows no visible error condition.

Weaknesses (CWE)

CWE-349 Acceptance of Extraneous Untrusted Data With Trusted Data Primary CWE-440 Expected Behavior Violation Primary

References

Timeline

Published
April 7, 2026
Last Modified
April 7, 2026
First Seen
April 7, 2026

Related Vulnerabilities

CRITICAL CVE-2026-30741 9.8

OpenClaw: RCE via request-side prompt injection

Same package: openclaw
CRITICAL CVE-2026-28451 9.3

OpenClaw: SSRF via Feishu extension exposes internal services

Same package: openclaw
HIGH GHSA-m3mh-3mpg-37hw 8.6

OpenClaw: .npmrc hijack enables RCE on plugin install

Same package: openclaw
HIGH CVE-2026-27001 7.8

OpenClaw: prompt injection via unsanitized workspace path

Same package: openclaw
HIGH GHSA-hr5v-j9h9-xjhg 7.7

OpenClaw: sandbox escape via mediaUrl path traversal

Same package: openclaw
Back to Threat Feed