PT-2026-33574 — Npm Openclaw

PT-2026-33574 · Npm · Openclaw

Published

2026-04-07

Updated

2026-04-07

CVSS v4.0

6.3

Medium

Vector

AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

Summary

Before OpenClaw 2026.4.2, Zalo webhook replay dedupe keys were not scoped strongly enough across chat and sender dimensions. Legitimate events from different conversations or senders could collide and be dropped as duplicates.

Impact

Cross-conversation or cross-sender collisions could cause silent message suppression and break bot workflows. This was an availability issue in webhook event processing.

Affected Packages / Versions

Package: openclaw (npm)
Affected versions: <= 2026.4.1
Patched versions: >= 2026.4.2
Latest published npm version: 2026.4.1

Fix Commit(s)

ef7c553dd16ee579f1d1a363f5881a99726c1412 — scope Zalo webhook replay dedupe across the missing event dimensions

Release Process Note

The fix is present on main and is staged for OpenClaw 2026.4.2. Publish this advisory after the 2026.4.2 npm release is live.

Thanks @D0ub1e-D for reporting.

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-440CWE-349

Related Identifiers

GHSA-RXMX-G7HR-8MX4

Affected Products

Openclaw