CVE-2026-41402 Overview
CVE-2026-41402 is an authorization bypass vulnerability in OpenClaw versions prior to 2026.3.31. The vulnerability exists within the webhook replay cache deduplication mechanism, which fails to properly scope cache keys to individual targets. This allows authenticated attackers to exploit overly broad cache keying to replay webhook messages across sibling targets using the same messageId, effectively bypassing replay protection mechanisms.
Critical Impact
Authenticated attackers can bypass webhook replay protection to deliver duplicate messages to unintended targets, potentially causing data integrity issues, duplicate transactions, or notification flooding across tenant boundaries.
Affected Products
- OpenClaw versions prior to 2026.3.31
- OpenClaw Zalo webhook extension components
Discovery Timeline
- 2026-04-28 - CVE-2026-41402 published to NVD
- 2026-04-28 - Last updated in NVD database
Technical Details for CVE-2026-41402
Vulnerability Analysis
This vulnerability is classified as CWE-706 (Use of Incorrectly-Resolved Name or Reference). The core issue lies in how the webhook replay cache deduplication system handles message identifiers. The cache implementation uses messageId as a key without properly scoping it to individual webhook targets, creating a situation where the same messageId can be used to bypass replay protection across different sibling targets within the system.
The attack requires authentication, meaning the attacker must have valid credentials to access the webhook system. However, once authenticated, the attacker can craft requests that exploit the cache keying weakness to replay previously captured webhook messages to targets other than the original intended recipient. This cross-target replay capability undermines the fundamental security assumption that replay protection prevents message duplication.
Root Cause
The root cause is improper scoping of the webhook replay deduplication cache. The recentWebhookEvents cache structure does not include the target identifier as part of its key, allowing messages with identical messageId values to be treated as unique across different targets when they should be blocked as replays.
Attack Vector
The attack is network-based and requires authentication. An attacker with valid credentials can intercept or observe a legitimate webhook message, extract the messageId, and then replay the message to a different sibling target. Because the cache only tracks messageId without target context, the replayed message passes deduplication checks and is delivered to the unintended target.
The attack complexity is high as it requires specific conditions to be met, including authentication, knowledge of valid message IDs, and access to sibling targets. However, successful exploitation can lead to limited confidentiality and integrity impacts through unauthorized message delivery.
export function clearZaloWebhookSecurityStateForTest(): void {
webhookRateLimiter.clear();
+ recentWebhookEvents.clear();
webhookAnomalyTracker.clear();
}
Source: GitHub Commit Reference
The security patch adds clearing of the recentWebhookEvents cache alongside other security state clearing. This is part of a broader fix that scopes the webhook replay deduplication per target, ensuring that message IDs are tracked independently for each target destination.
Detection Methods for CVE-2026-41402
Indicators of Compromise
- Duplicate webhook messages appearing across different targets with identical messageId values
- Unusual patterns of webhook activity from authenticated users targeting multiple sibling endpoints
- Log entries showing the same messageId being processed for different target destinations
- Anomalous spikes in webhook delivery to specific targets following legitimate webhook activity
Detection Strategies
- Implement logging that correlates messageId values with target identifiers to identify cross-target replay attempts
- Monitor for authenticated users sending webhook requests with messageId values that have been recently used on other targets
- Deploy application-level monitoring to detect duplicate message delivery patterns across the webhook infrastructure
- Review audit logs for authentication patterns followed by rapid webhook submissions to multiple targets
Monitoring Recommendations
- Enable detailed webhook transaction logging including messageId, target identifier, source IP, and authentication context
- Set up alerts for webhook delivery anomalies, particularly duplicate content delivered to different targets
- Monitor the recentWebhookEvents cache behavior for unusual access patterns
- Implement rate limiting alerts for authenticated users making excessive webhook-related API calls
How to Mitigate CVE-2026-41402
Immediate Actions Required
- Upgrade OpenClaw to version 2026.3.31 or later which includes the security fix
- Review webhook delivery logs for evidence of cross-target replay exploitation
- Audit authenticated users with access to webhook functionality for suspicious activity
- Consider temporarily implementing additional application-layer replay detection as a defense-in-depth measure
Patch Information
The vulnerability has been addressed in OpenClaw version 2026.3.31. The fix scopes the webhook replay deduplication cache per target, ensuring that messageId tracking is isolated between different webhook destinations. The security patch is available via the GitHub Commit Reference. Additional details are available in the GitHub Security Advisory.
Workarounds
- Implement external replay detection at the load balancer or API gateway level that includes target context in deduplication keys
- Add application-level validation to verify that incoming webhook messageId values have not been used for other targets
- Restrict authenticated user access to webhook functionality to only necessary personnel while awaiting patch deployment
- Consider implementing per-target rate limiting to reduce the impact of successful replay attempts
# Configuration example
# Upgrade OpenClaw to the patched version
npm update @openclaw/core@2026.3.31
# Verify the installed version includes the security fix
npm list @openclaw/core
# Review webhook configuration for target isolation settings
openclaw config webhook --show-deduplication-scope
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
