CVE-2026-41354
EPSS 0.06%OpenClaw: Zalo replay dedupe keys could suppress messages across chats or senders
描述
## Summary Before OpenClaw 2026.4.2, Zalo webhook replay dedupe keys were not scoped strongly enough across chat and sender dimensions. Legitimate events from different conversations or senders could collide and be dropped as duplicates. ## Impact Cross-conversation or cross-sender collisions could cause silent message suppression and break bot workflows. This was an availability issue in webhook event processing. ## Affected Packages / Versions - Package: `openclaw` (npm) - Affected versions: `<= 2026.4.1` - Patched versions: `>= 2026.4.2` - Latest published npm version: `2026.4.1` ## Fix Commit(s) - `ef7c553dd16ee579f1d1a363f5881a99726c1412` — scope Zalo webhook replay dedupe across the missing event dimensions ## Release Process Note The fix is present on `main` and is staged for OpenClaw `2026.4.2`. Publish this advisory after the `2026.4.2` npm release is live. Thanks @D0ub1e-D for reporting.
受影響套件(1)
- npm/openclawfrom 0, < 2026.4.2
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N |
參考連結(5)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2026-41354
- PATCHhttps://github.com/openclaw/openclaw
- WEBhttps://github.com/openclaw/openclaw/commit/ef7c553dd16ee579f1d1a363f5881a99726c1412
- WEBhttps://github.com/openclaw/openclaw/security/advisories/GHSA-rxmx-g7hr-8mx4
- WEBhttps://www.vulncheck.com/advisories/openclaw-insufficient-scope-in-zalo-webhook-replay-dedupe-keys