CVE-2026-41354: OpenClaw: Zalo replay dedupe keys could suppress messages across chats or senders
(updated )
Before OpenClaw 2026.4.2, Zalo webhook replay dedupe keys were not scoped strongly enough across chat and sender dimensions. Legitimate events from different conversations or senders could collide and be dropped as duplicates.
References
- github.com/advisories/GHSA-rxmx-g7hr-8mx4
- github.com/openclaw/openclaw
- github.com/openclaw/openclaw/commit/ef7c553dd16ee579f1d1a363f5881a99726c1412
- github.com/openclaw/openclaw/security/advisories/GHSA-rxmx-g7hr-8mx4
- nvd.nist.gov/vuln/detail/CVE-2026-41354
- www.vulncheck.com/advisories/openclaw-insufficient-scope-in-zalo-webhook-replay-dedupe-keys
Code Behaviors & Features
Detect and mitigate CVE-2026-41354 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →