{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/replay-attack/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-41395"}],"_cs_exploited":false,"_cs_products":["OpenClaw"],"_cs_severities":["medium"],"_cs_tags":["webhook","replay-attack","plivo"],"_cs_type":"advisory","_cs_vendors":["OpenClaw"],"content_html":"\u003cp\u003eOpenClaw before version 2026.3.28 is susceptible to a webhook replay vulnerability affecting Plivo V3 signature verification. The vulnerability arises from the application\u0026rsquo;s method of canonicalizing query parameter ordering for signature verification while simultaneously employing raw URLs for replay detection. This discrepancy allows attackers to manipulate the order of query parameters within a captured, valid, signed webhook, effectively bypassing the replay cache detection mechanism. This could lead to the unintended execution of duplicate voice-call processing. The vulnerability was reported on April 28, 2026, and poses a risk to systems relying on OpenClaw for processing Plivo webhooks.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker captures a valid, signed webhook request from Plivo to OpenClaw.\u003c/li\u003e\n\u003cli\u003eAttacker analyzes the captured webhook request, noting the query parameters and their order.\u003c/li\u003e\n\u003cli\u003eAttacker reorders the query parameters in the captured webhook request, while maintaining the validity of the signature (due to OpenClaw\u0026rsquo;s canonicalization of query ordering for signature verification).\u003c/li\u003e\n\u003cli\u003eAttacker replays the modified webhook request to the OpenClaw server.\u003c/li\u003e\n\u003cli\u003eOpenClaw processes the replayed webhook request because the replay detection mechanism is bypassed due to the reordered query parameters resulting in a different raw URL.\u003c/li\u003e\n\u003cli\u003eThe OpenClaw application initiates a duplicate voice-call processing as a result of the replayed webhook.\u003c/li\u003e\n\u003cli\u003eThe victim experiences unintended or duplicate voice calls.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability can lead to unintended or duplicate voice calls, potentially causing disruption of services and financial implications due to unnecessary call charges. While the direct impact is limited to the processing of voice calls, the vulnerability highlights a weakness in webhook security that could be exploited further in other contexts. The severity is rated as HIGH with a CVSS v3.1 score of 7.5.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade OpenClaw to version 2026.3.28 or later to remediate the vulnerability (CVE-2026-41395).\u003c/li\u003e\n\u003cli\u003eImplement server-side logging for all incoming webhook requests, capturing the raw request URL and timestamp. Deploy the Sigma rule \u003ccode\u003eDetect Suspicious Webhook Replay\u003c/code\u003e to identify potential replay attacks based on duplicate URLs within a short timeframe.\u003c/li\u003e\n\u003cli\u003eConsider implementing additional server-side validation of webhook requests, such as verifying the timestamp to ensure it falls within an acceptable window.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-29T12:00:00Z","date_published":"2026-04-29T12:00:00Z","id":"/briefs/2026-04-openclaw-webhook-replay/","summary":"OpenClaw before 2026.3.28 is vulnerable to webhook replay attacks due to improper signature verification, allowing attackers to reorder query parameters and trigger duplicate voice-call processing.","title":"OpenClaw Webhook Replay Vulnerability (CVE-2026-41395)","url":"https://feed.craftedsignal.io/briefs/2026-04-openclaw-webhook-replay/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["replay-attack","privilege-escalation","device-pairing"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eOpenClaw before version 2026.3.13 contains a vulnerability in the device pairing verification process.  Specifically, the \u003ccode\u003esrc/infra/device-bootstrap.ts\u003c/code\u003e file allows bootstrap setup codes to be replayed. This means an attacker can repeatedly use the same valid bootstrap code before it is approved, leading to an escalation of pending pairing scopes. The most critical outcome is privilege escalation to the \u003ccode\u003eoperator.admin\u003c/code\u003e level, granting the attacker significant control over the affected system…\u003c/p\u003e\n","date_modified":"2026-03-29T13:17:02Z","date_published":"2026-03-29T13:17:02Z","id":"/briefs/2026-03-openclaw-replay/","summary":"OpenClaw before 2026.3.13 is vulnerable to a replay attack during device pairing verification, allowing attackers to repeatedly verify a bootstrap code and escalate privileges to operator.admin.","title":"OpenClaw Bootstrap Code Replay Vulnerability (CVE-2026-32987)","url":"https://feed.craftedsignal.io/briefs/2026-03-openclaw-replay/"}],"language":"en","title":"CraftedSignal Threat Feed — Replay-Attack","version":"https://jsonfeed.org/version/1.1"}