Replay Identity Vulnerability in OpenClaw Impacting Plivo V2 Signature Verification
CVE-2026-35618

8.3HIGH

Key Information:

Vendor: Openclaw
Status: Openclaw
Vendor: CVE Published:; 9 April 2026

What is CVE-2026-35618?

The OpenClaw software prior to version 2026.3.23 contains a vulnerability in the Plivo V2 signature verification process that allows attackers to exploit replay identity drift. This vulnerability is due to the verification process deriving its replay keys from the entire URL, including the query strings, rather than using the base URL. As a result, attackers can modify query parameters of signed requests and create new verified request keys without proper authorization. This flaw undermines the replay protection mechanism intended to secure communications, thereby posing a significant risk to application integrity.

Affected Version(s)

OpenClaw 0 < 2026.3.23

OpenClaw 2026.3.23

References

https://github.com/openclaw/openclaw/security/advisories/...

third-party-advisory

https://github.com/openclaw/openclaw/commit/630f1479c44f7...

patch

https://github.com/openclaw/openclaw/commit/b0ce53a79cf63...

patch

CVSS V4

Score:

8.3

Severity:

HIGH

Confidentiality:

Low

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 9, 2026
Vulnerability Reserved
Apr 4, 2026

Credit

smaeljaish771

KeenSecurityLab

CVE-2026-35618 Data

JSON

Openclaw

What is CVE-2026-35618?

Affected Version(s)

References

CVSS V4

Timeline

Credit