PT-2026-33574 · Npm · Openclaw

Publicado

2026-04-07

·

Atualizado

2026-04-07

CVSS v4.0

6.3

Média

VetorAV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

Summary

Before OpenClaw 2026.4.2, Zalo webhook replay dedupe keys were not scoped strongly enough across chat and sender dimensions. Legitimate events from different conversations or senders could collide and be dropped as duplicates.

Impact

Cross-conversation or cross-sender collisions could cause silent message suppression and break bot workflows. This was an availability issue in webhook event processing.

Affected Packages / Versions

  • Package: openclaw (npm)
  • Affected versions: <= 2026.4.1
  • Patched versions: >= 2026.4.2
  • Latest published npm version: 2026.4.1

Fix Commit(s)

  • ef7c553dd16ee579f1d1a363f5881a99726c1412 — scope Zalo webhook replay dedupe across the missing event dimensions

Release Process Note

The fix is present on main and is staged for OpenClaw 2026.4.2. Publish this advisory after the 2026.4.2 npm release is live.
Thanks @D0ub1e-D for reporting.

Correção

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-440CWE-349

Identificadores relacionados

GHSA-RXMX-G7HR-8MX4

Produtos afetados

Openclaw