GHSA-fqrj-m88p-qf3v: OpenClaw: Zalo replay dedupe cache could suppress events across authenticated webhook targets

April 7, 2026

Before OpenClaw 2026.3.31, the Zalo webhook replay-dedupe cache was shared across authenticated webhook targets and keyed too broadly. In multi-account deployments, a replay seen on one account could suppress a legitimate event on another account if event_name and message_id matched.

References

github.com/advisories/GHSA-fqrj-m88p-qf3v
github.com/openclaw/openclaw
github.com/openclaw/openclaw/commit/4d038bb242c11f39e45f6a4bde400e5fd42e4ebf
github.com/openclaw/openclaw/commit/7cea7c29705b188b464cc9cdc107c275b94b2a72
github.com/openclaw/openclaw/security/advisories/GHSA-fqrj-m88p-qf3v

Code Behaviors & Features

Detect and mitigate GHSA-fqrj-m88p-qf3v with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →