CVE-2026-41395: OpenClaw: Voice-call Plivo V3 webhook replay key uses unsorted URL, allowing replay via query-parameter reordering

March 31, 2026 (updated April 28, 2026)

Plivo V3 signature verification canonicalized query ordering, but replay detection hashed the raw verification URL. Reordering query parameters preserved a valid signature while producing a fresh replay-cache key.

References

github.com/advisories/GHSA-8689-gm9g-jgr6
github.com/openclaw/openclaw
github.com/openclaw/openclaw/commit/85777e726cb02c01a911b3ff832ddf4d664d5c94
github.com/openclaw/openclaw/security/advisories/GHSA-8689-gm9g-jgr6
nvd.nist.gov/vuln/detail/CVE-2026-41395

Code Behaviors & Features

Detect and mitigate CVE-2026-41395 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →