GHSA-rxmx-g7hr-8mx4: OpenClaw: Zalo replay dedupe keys could suppress messages across chats or senders

April 7, 2026

Before OpenClaw 2026.4.2, Zalo webhook replay dedupe keys were not scoped strongly enough across chat and sender dimensions. Legitimate events from different conversations or senders could collide and be dropped as duplicates.

References

github.com/advisories/GHSA-rxmx-g7hr-8mx4
github.com/openclaw/openclaw
github.com/openclaw/openclaw/commit/ef7c553dd16ee579f1d1a363f5881a99726c1412
github.com/openclaw/openclaw/security/advisories/GHSA-rxmx-g7hr-8mx4

Code Behaviors & Features

Detect and mitigate GHSA-rxmx-g7hr-8mx4 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →