CVE-2026-41402 LOW

CVE-2026-41402: OpenClaw < 2026.3.31 - Webhook Replay Cache Cross-Target messageId Scope Bypass

Vendor Openclaw
Product OpenClaw
Weakness CWE-706
Published April 28, 2026
Last update April 29, 2026

CVSS base score

2.3/10
Attack vector Network
Attack complexity High
Privileges required Low
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

OpenClaw before 2026.3.31 contains a scope bypass vulnerability in webhook replay cache deduplication that allows authenticated attackers to replay messages across sibling targets using the same messageId. Attackers can exploit overly broad cache keying to bypass replay protection and deliver duplicate webhook messages to unintended targets.

Key dates

02Disclosure timeline

April 28, 2026 CVE published
April 29, 2026 Record updated

Related vulnerabilities

04Related CVE