PT-2026-33566 · Npm · Openclaw
Publicado
2026-04-07
·
Atualizado
2026-04-07
CVSS v4.0
2.3
Baixa
| Vetor | AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N |
Summary
Before OpenClaw 2026.3.31, the Zalo webhook replay-dedupe cache was shared across authenticated webhook targets and keyed too broadly. In multi-account deployments, a replay seen on one account could suppress a legitimate event on another account if
event name and message id matched.Impact
An attacker who controlled one authenticated Zalo webhook path in a multi-account gateway deployment could cause silent message suppression on a different Zalo account sharing that gateway. This was an availability issue; it did not provide cross-account authentication or data access.
Affected Packages / Versions
- Package:
openclaw(npm) - Affected versions:
>= 2026.2.19, < 2026.3.31 - Patched versions:
>= 2026.3.31 - Latest published npm version:
2026.4.1
Fix Commit(s)
4d038bb242c11f39e45f6a4bde400e5fd42e4ebf— scope webhook replay dedupe per target7cea7c29705b188b464cc9cdc107c275b94b2a72— follow-up hardening to scope replay dedupe by path and account
Release Process Note
The initial fix shipped in OpenClaw
2026.3.31 on March 31, 2026. The current published npm release 2026.4.1 from April 1, 2026 also contains follow-up hardening for the same surface.Thanks @nexrin for reporting.
Correção
Improper Authentication
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Enumeração de Fraquezas
Identificadores relacionados
Produtos afetados
Openclaw