GHSA-GCJ7-R3HG-M7W6
Vulnerability from github – Published: 2026-03-03 22:25 – Updated: 2026-03-03 22:25Summary
The voice-call Twilio webhook path accepted replay/dedupe identity from unsigned request metadata (i-twilio-idempotency-token), enabling replayed signed requests to bypass replay detection and manager dedupe by mutating only that header.
Affected Packages / Versions
- Package:
openclaw(npm) - Affected versions:
<= 2026.2.25(latest published npm version at triage time) - Fixed on
main: commit1aadf26f9acc399affabd859937a09468a9c5cb4 - Planned patched npm version:
2026.2.26
Impact
Deployments using the optional voice-call Twilio webhook path could accept replayed webhook events as fresh events when an attacker had one valid signed request and changed only the unsigned idempotency header.
Technical Details
The fix removes unsigned-header trust from Twilio replay/dedupe identity and binds replay/manager dedupe to authenticated request material. It also threads a verified request identity through provider parsing so dedupe uses verification-derived identity rather than mutable headers.
Fix Commit(s)
1aadf26f9acc399affabd859937a09468a9c5cb4
Release Process Note
patched_versions is pre-set to the planned next release (2026.2.26). After the npm release is published, this advisory can be published without additional version-field edits.
OpenClaw thanks @tdjackey for reporting.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2026.2.25"
},
"package": {
"ecosystem": "npm",
"name": "openclaw"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2026.2.26"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-294",
"CWE-345"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-03T22:25:37Z",
"nvd_published_at": null,
"severity": "LOW"
},
"details": "### Summary\nThe voice-call Twilio webhook path accepted replay/dedupe identity from unsigned request metadata (`i-twilio-idempotency-token`), enabling replayed signed requests to bypass replay detection and manager dedupe by mutating only that header.\n\n### Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Affected versions: `\u003c= 2026.2.25` (latest published npm version at triage time)\n- Fixed on `main`: commit `1aadf26f9acc399affabd859937a09468a9c5cb4`\n- Planned patched npm version: `2026.2.26`\n\n### Impact\nDeployments using the optional `voice-call` Twilio webhook path could accept replayed webhook events as fresh events when an attacker had one valid signed request and changed only the unsigned idempotency header.\n\n### Technical Details\nThe fix removes unsigned-header trust from Twilio replay/dedupe identity and binds replay/manager dedupe to authenticated request material. It also threads a verified request identity through provider parsing so dedupe uses verification-derived identity rather than mutable headers.\n\n### Fix Commit(s)\n- `1aadf26f9acc399affabd859937a09468a9c5cb4`\n\n### Release Process Note\n`patched_versions` is pre-set to the planned next release (`2026.2.26`). After the npm release is published, this advisory can be published without additional version-field edits.\n\nOpenClaw thanks @tdjackey for reporting.",
"id": "GHSA-gcj7-r3hg-m7w6",
"modified": "2026-03-03T22:25:37Z",
"published": "2026-03-03T22:25:37Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-gcj7-r3hg-m7w6"
},
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/commit/1aadf26f9acc399affabd859937a09468a9c5cb4"
},
{
"type": "PACKAGE",
"url": "https://github.com/openclaw/openclaw"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
],
"summary": "OpenClaw\u0027s voice-call Twilio replay dedupe now bound to authenticated webhook identity"
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.