OpenClaw Plivo V2 Replay Identity Vulnerability
Vulnerability
A replay identity vulnerability has been identified in OpenClaw versions prior to 2026.3.23, specifically within the Plivo V2 signature verification process. This vulnerability allows attackers to bypass replay protection by making unsigned modifications to query parameters. The issue arises because the verification process generates replay keys from the complete URL, including query strings, rather than from a canonicalized base URL. As a result, attackers can create new verified request keys by altering query-only aspects of signed requests.
Impact
Exploitation of this vulnerability allows for authentication bypass by replaying modified requests, potentially leading to unauthorized actions or access.
Reproduction
To reproduce this vulnerability, send a signed request to a Plivo V2 webhook endpoint, including query parameters that are not part of the canonicalized base URL. The webhook verification process will incorrectly treat this as a new, verified request, bypassing the intended replay protection.
Remediation
Users can update to OpenClaw version 2026.3.23 or later to address this vulnerability.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.