GHSA-rxmx-g7hr-8mx4
Suggest an improvement- Source
- https://github.com/advisories/GHSA-rxmx-g7hr-8mx4
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-rxmx-g7hr-8mx4/GHSA-rxmx-g7hr-8mx4.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-rxmx-g7hr-8mx4
- Aliases
-
- CVE-2026-41354
- Downstream
- Published
- 2026-04-07T18:15:59Z
- Modified
- 2026-05-07T17:04:42.898522Z
- Severity
-
- 6.3 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- OpenClaw: Zalo replay dedupe keys could suppress messages across chats or senders
- Details
-
Summary
Before OpenClaw 2026.4.2, Zalo webhook replay dedupe keys were not scoped strongly enough across chat and sender dimensions. Legitimate events from different conversations or senders could collide and be dropped as duplicates.
Impact
Cross-conversation or cross-sender collisions could cause silent message suppression and break bot workflows. This was an availability issue in webhook event processing.
Affected Packages / Versions
- Package:
openclaw(npm) - Affected versions:
<= 2026.4.1 - Patched versions:
>= 2026.4.2 - Latest published npm version:
2026.4.1
Fix Commit(s)
ef7c553dd16ee579f1d1a363f5881a99726c1412— scope Zalo webhook replay dedupe across the missing event dimensions
Release Process Note
The fix is present on
mainand is staged for OpenClaw2026.4.2. Publish this advisory after the2026.4.2npm release is live.Thanks @D0ub1e-D for reporting.
- Package:
- Database specific
{ "nvd_published_at": null, "severity": "MODERATE", "github_reviewed_at": "2026-04-07T18:15:59Z", "cwe_ids": [ "CWE-349", "CWE-440" ], "github_reviewed": true }- References
-
- https://github.com/openclaw/openclaw/security/advisories/GHSA-rxmx-g7hr-8mx4
- https://nvd.nist.gov/vuln/detail/CVE-2026-41354
- https://github.com/openclaw/openclaw/commit/ef7c553dd16ee579f1d1a363f5881a99726c1412
- https://github.com/openclaw/openclaw
- https://www.vulncheck.com/advisories/openclaw-insufficient-scope-in-zalo-webhook-replay-dedupe-keys
Affected packages
npm / openclaw
Package
- Name
- openclaw
- View open source insights on deps.dev
- Purl
- pkg:npm/openclaw