OpenClaw Webhook Replay Detection Bypass Vulnerability

A replay detection bypass vulnerability has been identified in OpenClaw versions prior to 2026.3.31. This vulnerability arises in the handling of webhook signatures, where Base64 and Base64URL encoded signatures are treated as separate requests. As a result, attackers can re-encode Telnyx webhook signatures to evade replay detection while still maintaining valid signature verification.

Impact

Exploitation of this vulnerability allows for bypassing replay detection in webhook signature verification, potentially leading to unauthorized repeated actions or events being processed.

Reproduction

To reproduce this vulnerability, send a Telnyx webhook signature that has been re-encoded in Base64URL format to a server that uses OpenClaw version prior to 2026.3.31. The server will treat this as a distinct request, bypassing the replay detection mechanism. This can be done by first encoding a valid signature in Base64, then converting it to Base64URL by replacing certain characters and removing padding. When the webhook is received, the application will verify the signature as valid but will not recognize it as a replayed request, allowing the action to be processed again.

Remediation

Users can upgrade to OpenClaw version 2026.3.31 or later, where this vulnerability has been patched.