Severity by source
CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
7Blast Radius
ecosystem impact- 1 npm packages depend on openclaw (1 direct, 0 indirect)
Ecosystem-wide dependent count for version 2026.3.31.
DescriptionCVE.org
OpenClaw before 2026.3.31 contains a scope bypass vulnerability in webhook replay cache deduplication that allows authenticated attackers to replay messages across sibling targets using the same messageId. Attackers can exploit overly broad cache keying to bypass replay protection and deliver duplicate webhook messages to unintended targets.
AnalysisAI
OpenClaw before version 2026.3.31 allows authenticated attackers to bypass webhook replay protection through overly broad cache keying, enabling delivery of duplicate webhook messages to unintended sibling targets when the same messageId is reused. The vulnerability exploits insufficient scope isolation in the webhook replay cache deduplication mechanism, allowing message replay across organizational boundaries within a single authentication context.
Technical ContextAI
OpenClaw's webhook delivery system implements a replay cache to prevent duplicate message delivery, keying deduplication entries by messageId. However, the cache key fails to include sufficient scope isolation (such as target identity, account boundary, or webhook endpoint differentiation), allowing attackers with valid authentication credentials to manipulate which targets receive replayed messages. CWE-706 (Use of Incorrectly-Resolved Name) indicates the root cause involves improper scope resolution in the cache lookup mechanism. The vulnerability affects the webhook processing pipeline, specifically the deduplication logic that should prevent identical messages from being delivered multiple times to the same endpoint but instead allows cross-target message injection when cache entries are reused across sibling targets sharing the same messageId.
RemediationAI
Upgrade OpenClaw to version 2026.3.31 or later; the patch is available via GitHub commit 4d038bb242c11f39e45f6a4bde400e5fd42e4ebf and the associated security advisory at https://github.com/openclaw/openclaw/security/advisories/GHSA-hhq4-97c2-p447. If immediate patching is not feasible, restrict webhook replay functionality to single-target contexts or disable cross-target message sharing until the patch can be deployed. Monitor webhook delivery logs for duplicate messages to the same target to detect exploitation attempts; if observed, review recent API authentication logs to identify which authenticated users accessed the webhook systems during the delivery window.
Auth bypass in OpenClaw voice-call extension before 2026.2.1. EPSS 0.68%. PoC and patch available.
Privilege escalation in OpenClaw (pre-2026.3.28) allows unauthenticated remote attackers to gain administrative access b
OpenClaw versions 2026.2.22 through 2026.2.24 contain a privilege escalation vulnerability that allows authenticated att
An authorization mismatch vulnerability in OpenClaw versions prior to 2026.3.1 allows authenticated users with operator.
OpenClaw versions prior to 2026.1.29 automatically establish WebSocket connections to attacker-controlled gateway URLs e
Path traversal in OpenClaw through version 2026.3.23 enables unauthenticated remote attackers to read arbitrary files in
OpenClaw sandbox browser functionality launches x11vnc for noVNC observer sessions without requiring authentication, all
OpenClaw versions before 2026.2.26 allow authenticated attackers to write arbitrary files outside the workspace director
OpenClaw versions prior to 2026.2.22 contain a shell environment variable injection vulnerability in the system.run func
OpenClaw versions prior to 2026.2.22 contain a resource exhaustion vulnerability where the application fails to consiste
OpenClaw versions prior to 2026.3.1 contain a sandbox escape vulnerability that allows authenticated attackers with low
OpenClaw versions 2026.1.30 and below fail to validate Telegram webhook secret tokens when `channels.telegram.webhookSec
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-26109