CVE-2026-35618

Description

## Summary Before `v2026.3.23`, the Plivo V2 verification path treated query-only variants of the same signed request as fresh verified work. Plivo V2 signatures authenticate `baseUrl + nonce`, but the replay key was derived from the full verification URL including the query string, so unsigned query-only changes minted a new `verifiedRequestKey`. ## Affected Packages / Versions - Package: `openclaw` (npm) - Affected: `< 2026.3.23` - Fixed: `>= 2026.3.23` - Latest released tag checked: `v2026.3.23-2` (`630f1479c44f78484dfa21bb407cbe6f171dac87`) - Latest published npm version checked: `2026.3.23-2` ## Root Cause The vulnerable logic lived in `extensions/voice-call/src/webhook-security.ts`. V2 signature validation already canonicalized to the base URL without query parameters, but the replay key used the full `verificationUrl`, letting query-only variants bypass replay identity stability. ## Fix Commit(s) - `b0ce53a79cf63834660270513e26d921899b4e5b` — `fix(voice-call): stabilize plivo v2 replay keys` ## Release Status The fix commit is contained in released tags `v2026.3.23` and `v2026.3.23-2`. The latest shipped tag and npm release both include the fix. ## Code-Level Confirmation - `extensions/voice-call/src/webhook-security.ts` now derives the V2 replay key with `createPlivoV2ReplayKey(...)`, which hashes `getBaseUrlNoQuery(url)` plus the nonce. - `extensions/voice-call/src/webhook-security.test.ts` contains the regression test `treats query-only V2 variants as the same verified request`. Thanks @smaeljaish771 for reporting.

How to fix CVE-2026-35618

To remediate CVE-2026-35618, upgrade the affected package to a fixed version below.

• —upgrade to 2026.3.23 or later

Is CVE-2026-35618 being exploited?

Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

• from 0, < 2026.3.23