CVE-2026-41395 Overview
CVE-2026-41395 is a webhook replay vulnerability affecting OpenClaw versions prior to 2026.3.28. The vulnerability exists in the Plivo V3 signature verification mechanism, which canonicalizes query parameter ordering when generating signatures but uses raw URLs for replay detection. This inconsistency allows attackers who capture a valid signed webhook to reorder query parameters, thereby bypassing the replay cache and triggering duplicate voice-call processing.
Critical Impact
Attackers can exploit this flaw to replay captured webhooks with reordered parameters, leading to unauthorized duplicate voice-call processing and potential service abuse.
Affected Products
- OpenClaw versions prior to 2026.3.28
- Systems using Plivo V3 signature verification
Discovery Timeline
- 2026-04-28 - CVE-2026-41395 published to NVD
- 2026-04-28 - Last updated in NVD database
Technical Details for CVE-2026-41395
Vulnerability Analysis
This vulnerability stems from an inconsistency between how OpenClaw's Plivo V3 integration handles signature verification versus replay detection. The signature verification process canonicalizes (sorts) query parameters before generating or validating signatures, ensuring that differently-ordered but semantically identical requests produce the same signature. However, the replay detection mechanism hashes the raw URL without canonicalization.
This architectural mismatch creates an exploitable gap: an attacker who intercepts a valid signed webhook request can simply reorder the query parameters. The reordered URL will pass signature verification (since canonicalization normalizes it) but will generate a different hash for replay detection (since the raw URL differs), allowing the same logical request to be processed multiple times.
Root Cause
The root cause is classified under CWE-325 (Missing Required Cryptographic Step). The replay detection mechanism fails to apply the same canonicalization transformation used during signature verification. This missing cryptographic step—canonicalizing URLs before hashing for replay cache lookup—allows semantically identical requests to appear as unique entries in the replay cache.
Attack Vector
The attack requires network access and the ability to capture a valid signed webhook request. The attacker does not need any privileges or user interaction to execute the attack. Once a valid webhook is captured, the attacker can:
- Capture a legitimate Plivo V3 webhook request containing a valid signature
- Reorder the query parameters in the URL while keeping the same parameter values
- Submit the modified request to the OpenClaw endpoint
- The signature verification passes due to canonicalization
- The replay cache check fails to detect the duplicate due to raw URL hashing
- Duplicate voice-call processing is triggered
The attack can be performed repeatedly with different parameter orderings, potentially causing significant service abuse through multiple duplicate voice-call operations.
Detection Methods for CVE-2026-41395
Indicators of Compromise
- Multiple webhook requests with identical parameter values but different parameter ordering within short time windows
- Unusual spikes in voice-call processing volumes without corresponding user activity
- Duplicate transaction or call records that share the same underlying signature
Detection Strategies
- Implement logging that captures both the raw URL and a canonicalized version for comparison during security audits
- Monitor for patterns of requests with identical signatures but different URL hashes
- Deploy anomaly detection on webhook endpoints to identify replay attack patterns
Monitoring Recommendations
- Enable detailed access logging on webhook endpoints receiving Plivo V3 callbacks
- Set up alerts for duplicate voice-call operations triggered within configurable time thresholds
- Review webhook processing logs for requests that pass signature verification but exhibit unusual URL characteristics
How to Mitigate CVE-2026-41395
Immediate Actions Required
- Upgrade OpenClaw to version 2026.3.28 or later immediately
- Review webhook processing logs for evidence of exploitation
- Implement additional rate limiting on webhook endpoints as a temporary safeguard
Patch Information
The vulnerability is resolved in OpenClaw version 2026.3.28. The fix ensures that the replay detection mechanism uses the same canonicalized URL representation as the signature verification process, preventing parameter reordering attacks from bypassing replay detection.
For detailed patch information, refer to the GitHub Security Advisory and the VulnCheck Advisory.
Workarounds
- Implement a custom middleware layer that canonicalizes incoming webhook URLs before they reach the replay detection cache
- Deploy a Web Application Firewall (WAF) rule to normalize query parameter ordering on incoming Plivo webhook requests
- Consider temporarily restricting webhook endpoints to known Plivo IP ranges while awaiting patch deployment
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
