PT-2026-35550 · Openclaw · Openclaw
Keensecuritylab
+2
·
Published
2026-04-27
·
Updated
2026-04-28
·
CVE-2026-41362
CVSS v3.1
4.3
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L |
Name of the Vulnerable Software and Affected Versions
OpenClaw versions 2026.2.19 through 2026.3.30
Description
An improper cache isolation issue exists in the Zalo webhook replay-dedupe mechanism, which is shared across authenticated webhook targets. In multi-account deployments, an attacker controlling one authenticated Zalo webhook path can suppress legitimate events on other accounts by matching the
event name and message id parameters.Recommendations
Update to version 2026.3.31.
Fix
Exposure of Resource to Wrong Sphere
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Openclaw