CVE-2026-41395
Published: 28 April 2026
Summary
CVE-2026-41395 is a high-severity Missing Cryptographic Step (CWE-325) vulnerability in Openclaw Openclaw. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 4.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the CVE by requiring timely remediation of the known flaw through upgrading OpenClaw to 2026.3.28 or later, fixing the canonicalization inconsistency in Plivo V3 webhook replay detection.
Requires replay-resistant session authenticity mechanisms such as nonces or timestamps alongside signatures to block reordered query parameter replays on webhooks.
Mandates validation of webhook information inputs including query parameters to ensure consistency between signature canonicalization and replay hash detection.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is a flaw in a public-facing webhook service allowing remote replay attacks by bypassing signature/replay checks, directly enabling exploitation of the application as described in T1190.
NVD Description
OpenClaw before 2026.3.28 contains a webhook replay vulnerability in Plivo V3 signature verification that canonicalizes query ordering for signatures but hashes raw URLs for replay detection. Attackers can reorder query parameters to bypass replay cache detection and trigger duplicate voice-call…
more
processing with a captured valid signed webhook.
Deeper analysisAI
CVE-2026-41395 is a webhook replay vulnerability in OpenClaw versions before 2026.3.28, specifically within the Plivo V3 signature verification process. The flaw arises because signature verification canonicalizes query parameter ordering, but replay detection hashes raw URLs without canonicalization. This inconsistency enables attackers to manipulate query parameters in captured requests while preserving signature validity.
Remote attackers require no privileges or user interaction to exploit the vulnerability over the network with low complexity. By capturing a valid signed webhook, reordering its query parameters to alter the raw URL hash, and resending it, they can bypass replay cache detection. Successful exploitation triggers duplicate voice-call processing, resulting in high integrity impact as reflected in the CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N) and mapped to CWE-325 (Missing Required Cryptographic Step).
The OpenClaw GitHub security advisory (GHSA-8689-gm9g-jgr6) and VulnCheck advisory (vulncheck.com/advisories/openclaw-webhook-replay-via-query-parameter-reordering-in-plivo-v3) published on 2026-04-28 document the issue, with mitigation achieved by upgrading to OpenClaw 2026.3.28 or later.
Details
- CWE(s)