PT-2026-25491 · Npm · Openclaw
Published
2026-03-03
·
Updated
2026-03-03
CVSS v4.0
6.9
Medium
| Vector | AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N |
Impact
Twilio webhook replay events could bypass voice-call manager dedupe because normalized event IDs were randomized per parse. A replayed event could be treated as new and trigger duplicate or stale call-state transitions.
Affected Packages / Versions
- Package:
openclaw(npm) - Vulnerable versions:
<= 2026.2.22-2 - Patched version (released):
>= 2026.2.23
Remediation
The fix preserves provider event IDs through normalization, adds bounded replay dedupe in webhook security validation, and enforces per-call turn-token checks on call-state transitions.
Fix Commit(s)
- 1d28da55a5d0ff409e34999e0961157e9db0a2ab
Release Process Note
patched versions is pre-set to the released version (2026.2.23) This advisory now reflects released fix version 2026.2.23.2.23`.OpenClaw thanks @jiseoung for reporting.
Fix
Incorrect Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Openclaw