OpenClaw Webhook Replay-Deduplication Cache Vulnerability in Multi-Account Deployments

A vulnerability exists in OpenClaw versions 2026.2.19 prior to 2026.3.31, where the Zalo webhook replay-deduplication cache is improperly isolated. This cache is shared across authenticated webhook targets, allowing attackers in multi-account deployments to suppress legitimate events on different accounts by matching the event_name and message_id parameters. The issue arises from the cache being keyed too broadly, enabling cross-account interference.

Impact

Exploitation of this vulnerability could lead to the unintended suppression of webhook events, causing missed messages or notifications on affected accounts.

Reproduction

To reproduce this vulnerability, first register two Zalo webhook targets on the same OpenClaw gateway deployment, ensuring they are set up under different accounts but share the same webhook path. Then, send a replay event to one of the accounts that includes a specific event_name and message_id. This action will suppress a legitimate event on the other account that shares the same webhook path, effectively demonstrating the cache poisoning issue.

Remediation

Users can update to OpenClaw version 2026.3.31 or later, where this vulnerability has been patched.