OpenClaw Zalo Webhook Replay Dedupe Key Collision Vulnerability

A vulnerability exists in OpenClaw versions prior to 2026.4.2, where Zalo webhook replay deduplication keys are not properly scoped across different chats and senders. This flaw allows legitimate events from various conversations or senders to collide, leading to silent message suppression and disruption of bot workflows. The issue arises from weak deduplication scoping, which can be exploited to cause cross-conversation or cross-sender collisions, silently dropping messages and breaking bot functionality.

Impact

The vulnerability can cause silent suppression of messages, disrupting bot workflows by improperly handling webhook events.

Reproduction

The vulnerability can be reproduced by sending duplicate message IDs across different chats or from different senders. The webhook handler will incorrectly process these as duplicates, leading to message suppression. This can be tested by using the Zalo messaging platform and sending messages that replicate the conditions of the vulnerability.

Remediation

Users can update to OpenClaw version 2026.4.2 or later, where this vulnerability has been patched.