1  info:
 2    name: OpenClaw
 3    cve: GHSA-fqrj-m88p-qf3v
 4    summary: OpenClaw Zalo replay dedupe cache could suppress events across authenticated webhook targets
 5    details: >-
 6      Summary
 7  
 8  
 9      Before OpenClaw 2026.3.31, the Zalo webhook replay-dedupe cache was shared across authenticated webhook targets and keyed
10      too broadly. In multi-account deployments, a replay seen on one account could suppress a legitimate event on another account
11      if event_name and message_id matched.
12  
13  
14      Impact
15  
16  
17      An attacker who controlled one authenticated Zalo webhook path in a multi-account gateway deployment could cause silent
18      message suppression on a different Zalo account sharing that gateway. This was an availability issue; it did not provide
19      cross-account authentication or data access.
20  
21  
22      Affected Packages / Versions
23  
24  
25      - Package: openclaw (npm)
26  
27      - Affected versions: >= 2026.2.19, < 2026.3.31
28  
29      - Patched versions: >= 2026.3.31
30  
31      - Latest published npm version: 2026.4.1
32    cvss: ''
33    severity: LOW
34    security_advise: Upgrade openclaw to >= 2026.3.31 or later. Commit(s) - 4d038bb242c11f39e45f6a4bde400e5fd42e4ebf — scope
35      webhook replay dedupe per target - 7cea7c29705b188b464cc9cdc107c275b94b2a72 — follow-up hardening to scope replay dedupe
36      by path and account
37    references:
38    - https://github.com/openclaw/openclaw/security/advisories/GHSA-fqrj-m88p-qf3v
39  rule: version < "2026.3.31"
40  references:
41  - https://github.com/openclaw/openclaw/security/advisories/GHSA-fqrj-m88p-qf3v