Medium severity4.3NVD Advisory· Published Apr 28, 2026· Updated Apr 28, 2026
CVE-2026-41362
CVE-2026-41362
Description
OpenClaw versions 2026.2.19 before 2026.3.31 contain an improper cache isolation vulnerability in the Zalo webhook replay-dedupe mechanism that is shared across authenticated webhook targets. Attackers controlling one authenticated Zalo webhook path in multi-account deployments can suppress legitimate events on different accounts by matching event_name and message_id parameters.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2Patches
Vulnerability mechanics
References
4- github.com/openclaw/openclaw/commit/4d038bb242c11f39e45f6a4bde400e5fd42e4ebfnvdPatch
- github.com/openclaw/openclaw/commit/7cea7c29705b188b464cc9cdc107c275b94b2a72nvdPatch
- github.com/openclaw/openclaw/security/advisories/GHSA-fqrj-m88p-qf3vnvdVendor Advisory
- www.vulncheck.com/advisories/openclaw-webhook-replay-dedupe-cache-event-suppression-via-shared-authenticationnvdThird Party Advisory
News mentions
0No linked articles in our index yet.