Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
CVE Vulnerability Details :
CVE-2026-41362
PUBLISHED
More InfoOfficial Page
Assigner-VulnCheck
Assigner Org ID-83251b91-4cc7-4094-a5c7-464a1b83ea10
View Known Exploited Vulnerability (KEV) details
Published At-27 Apr, 2026 | 23:24
Updated At-26 May, 2026 | 11:52
Rejected At-
▼CVE Numbering Authority (CNA)
OpenClaw 2026.2.19 through 2026.3.30 - Webhook Replay Dedupe Cache Event Suppression via Shared Authentication

OpenClaw versions 2026.2.19 before 2026.3.31 contain an improper cache isolation vulnerability in the Zalo webhook replay-dedupe mechanism that is shared across authenticated webhook targets. Attackers controlling one authenticated Zalo webhook path in multi-account deployments can suppress legitimate events on different accounts by matching event_name and message_id parameters.

Affected Products
Vendor
OpenClawOpenClaw
Product
OpenClaw
Default Status
unaffected
Versions
Affected
  • From 2026.2.19 before 2026.3.31 (semver)
Unaffected
  • 2026.3.31 (semver)
Problem Types
TypeCWE IDDescription
CWECWE-668CWE-668: Exposure of Resource to Wrong Sphere
Type: CWE
CWE ID: CWE-668
Description: CWE-668: Exposure of Resource to Wrong Sphere
Metrics
VersionBase scoreBase severityVector
4.02.3LOW
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
3.14.3MEDIUM
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
Version: 4.0
Base score: 2.3
Base severity: LOW
Vector:
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
Version: 3.1
Base score: 4.3
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

reporter
Nathan (@nexrin)
finder
KeenSecurityLab
finder
qclawer
Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://github.com/openclaw/openclaw/security/advisories/GHSA-fqrj-m88p-qf3v
vendor-advisory
https://github.com/openclaw/openclaw/commit/4d038bb242c11f39e45f6a4bde400e5fd42e4ebf
patch
https://github.com/openclaw/openclaw/commit/7cea7c29705b188b464cc9cdc107c275b94b2a72
patch
https://www.vulncheck.com/advisories/openclaw-webhook-replay-dedupe-cache-event-suppression-via-shared-authentication
third-party-advisory
Hyperlink: https://github.com/openclaw/openclaw/security/advisories/GHSA-fqrj-m88p-qf3v
Resource:
vendor-advisory
Hyperlink: https://github.com/openclaw/openclaw/commit/4d038bb242c11f39e45f6a4bde400e5fd42e4ebf
Resource:
patch
Hyperlink: https://github.com/openclaw/openclaw/commit/7cea7c29705b188b464cc9cdc107c275b94b2a72
Resource:
patch
Hyperlink: https://www.vulncheck.com/advisories/openclaw-webhook-replay-dedupe-cache-event-suppression-via-shared-authentication
Resource:
third-party-advisory
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
Details not found