GHSA-gcj7-r3hg-m7w6: OpenClaw's voice-call Twilio replay dedupe now bound to authenticated webhook identity

March 3, 2026

The voice-call Twilio webhook path accepted replay/dedupe identity from unsigned request metadata (i-twilio-idempotency-token), enabling replayed signed requests to bypass replay detection and manager dedupe by mutating only that header.

References

github.com/advisories/GHSA-gcj7-r3hg-m7w6
github.com/openclaw/openclaw
github.com/openclaw/openclaw/commit/1aadf26f9acc399affabd859937a09468a9c5cb4
github.com/openclaw/openclaw/security/advisories/GHSA-gcj7-r3hg-m7w6

Code Behaviors & Features

Detect and mitigate GHSA-gcj7-r3hg-m7w6 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →