CVE-2026-41362
MEDIUMDescription
OpenClaw versions 2026.2.19 before 2026.3.31 contain an improper cache isolation vulnerability in the Zalo webhook replay-dedupe mechanism that is shared across authenticated webhook targets. Attackers controlling one authenticated Zalo webhook path in multi-account deployments can suppress legitimate events on different accounts by matching event_name and message_id parameters.
Is your site exposed to CVE-2026-41362?
Run a free security scan — no signup, results in seconds.
CVSS v3.1 Score
EPSS — Exploit Prediction
EPSS estimates the probability that this vulnerability will be exploited in the wild within the next 30 days. A higher score means more likely to be exploited.
Weakness Type (CWE)
Affected Products
| Vendor | Product |
|---|---|
| openclaw | openclaw |
References
Advisories & Patches
Frequently Asked Questions
What is CVE-2026-41362? +
How severe is CVE-2026-41362? +
What products are affected by CVE-2026-41362? +
How do I check if I'm vulnerable to CVE-2026-41362? +
Related Vulnerabilities
FOSSBilling is a free, open-source billing and client management system. Prior to version 0.8.1, downloadable product files are stored using …
Incorrect use of boot service in the AMD Platform Configuration Blob (APCB) SMM driver could allow a privileged attacker with …
External Secrets Operator reads information from a third-party service and automatically injects the values as Kubernetes Secrets. Prior to 2.4.0, …
Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/Page/Article.Php. This issue affects MediaWiki: from * before …
The additional_tables configuration of the page and tt_content indexers accepts arbitrary table and field names. A backend user with permission …
vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, NodeVM exposes some process-wide observability builtins when they …