EUVD-2026-21103
GHSA-j56c-wpqm-h24x
CVSS Vector
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4Description
OpenClaw before 2026.3.23 contains a replay identity vulnerability in Plivo V2 signature verification that allows attackers to bypass replay protection by modifying query parameters. The verification path derives replay keys from the full URL including query strings instead of the canonicalized base URL, enabling attackers to mint new verified request keys through unsigned query-only changes to signed requests.
Analysis
Authentication bypass in OpenClaw versions prior to 2026.3.23 enables attackers to forge Plivo V2 signature-verified requests without credentials. The vulnerability stems from replay key derivation using full URLs with query parameters rather than canonicalized base URLs, allowing unauthenticated remote attackers to manipulate query strings on signed requests and generate new valid verification keys. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: identify all systems running OpenClaw and document current versions in use. Within 7 days: upgrade all OpenClaw instances to version 2026.3.23 or later; test Plivo webhook integrations post-upgrade in non-production environment. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today