PT-2026-33566 · Npm · Openclaw

Published

2026-04-07

·

Updated

2026-04-07

CVSS v4.0

2.3

Low

VectorAV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

Summary

Before OpenClaw 2026.3.31, the Zalo webhook replay-dedupe cache was shared across authenticated webhook targets and keyed too broadly. In multi-account deployments, a replay seen on one account could suppress a legitimate event on another account if event name and message id matched.

Impact

An attacker who controlled one authenticated Zalo webhook path in a multi-account gateway deployment could cause silent message suppression on a different Zalo account sharing that gateway. This was an availability issue; it did not provide cross-account authentication or data access.

Affected Packages / Versions

  • Package: openclaw (npm)
  • Affected versions: >= 2026.2.19, < 2026.3.31
  • Patched versions: >= 2026.3.31
  • Latest published npm version: 2026.4.1

Fix Commit(s)

  • 4d038bb242c11f39e45f6a4bde400e5fd42e4ebf — scope webhook replay dedupe per target
  • 7cea7c29705b188b464cc9cdc107c275b94b2a72 — follow-up hardening to scope replay dedupe by path and account

Release Process Note

The initial fix shipped in OpenClaw 2026.3.31 on March 31, 2026. The current published npm release 2026.4.1 from April 1, 2026 also contains follow-up hardening for the same surface.
Thanks @nexrin for reporting.

Fix

Improper Authentication

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-287

Related Identifiers

GHSA-FQRJ-M88P-QF3V

Affected Products

Openclaw