CVE
CVE-2026-41395
OpenClaw: Voice-call Plivo V3 webhook replay key uses unsorted URL, allowing replay via query-parameter reordering
Summary
Plivo V3 signature verification canonicalized query ordering, but replay detection hashed the raw verification URL. Reordering query parameters preserved a valid signature while producing a fresh replay-cache key.
Impact
An attacker who captured one valid signed Plivo V3 webhook could replay the same event by permuting query parameters and trigger duplicate voice-call processing.
Affected Component
extensions/voice-call/src/webhook-security.ts
Fixed Versions
- Affected:
<= 2026.3.24 - Patched:
>= 2026.3.28 - Latest stable
2026.3.28contains the fix.
Fix
Fixed by commit 85777e726c (Voice Call: canonicalize Plivo V3 replay key).
Package Versions Affected
Package Version
patch Availability
No items found.
Automatically patch vulnerabilities without upgrading
Fix Without Upgrading
Detect compatible fix
Apply safe remediation
Fix with a single pull request
CVSS Version
Severity
Base Score
CVSS Version
Score Vector
C
H
U
8.2
-
4.0
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
C
H
U
0
-
C
H
U
7.5
-
3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Related Resources
No items found.
References
https://github.com/openclaw/openclaw/security/advisories/GHSA-8689-gm9g-jgr6, https://github.com/openclaw/openclaw/commit/85777e726cb02c01a911b3ff832ddf4d664d5c94, https://github.com/openclaw/openclaw
Basic Information
Ecosystem
