GHSA-6477-wvjj-47v6: Duplicate Advisory: OpenClaw: Zalo replay dedupe keys could suppress messages across chats or senders
(updated )
Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-rxmx-g7hr-8mx4. This link is maintained to preserve external references.
Original Description
OpenClaw before 2026.4.2 contains an insufficient scope vulnerability in Zalo webhook replay dedupe keys that allows legitimate events from different conversations or senders to collide. Attackers can exploit weak deduplication scoping to cause silent message suppression and disrupt bot workflows across chat sessions.
References
- github.com/advisories/GHSA-6477-wvjj-47v6
- github.com/openclaw/openclaw
- github.com/openclaw/openclaw/commit/ef7c553dd16ee579f1d1a363f5881a99726c1412
- github.com/openclaw/openclaw/security/advisories/GHSA-rxmx-g7hr-8mx4
- nvd.nist.gov/vuln/detail/CVE-2026-41354
- www.vulncheck.com/advisories/openclaw-insufficient-scope-in-zalo-webhook-replay-dedupe-keys
Code Behaviors & Features
Detect and mitigate GHSA-6477-wvjj-47v6 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →