Attack Chain

1. Attacker captures a valid, signed webhook request from Plivo to OpenClaw.
2. Attacker analyzes the captured webhook request, noting the query parameters and their order.
3. Attacker reorders the query parameters in the captured webhook request, while maintaining the validity of the signature (due to OpenClaw’s canonicalization of query ordering for signature verification).
4. Attacker replays the modified webhook request to the OpenClaw server.
5. OpenClaw processes the replayed webhook request because the replay detection mechanism is bypassed due to the reordered query parameters resulting in a different raw URL.
6. The OpenClaw application initiates a duplicate voice-call processing as a result of the replayed webhook.
7. The victim experiences unintended or duplicate voice calls.

Impact

Successful exploitation of this vulnerability can lead to unintended or duplicate voice calls, potentially causing disruption of services and financial implications due to unnecessary call charges. While the direct impact is limited to the processing of voice calls, the vulnerability highlights a weakness in webhook security that could be exploited further in other contexts. The severity is rated as HIGH with a CVSS v3.1 score of 7.5.

Recommendation

• Upgrade OpenClaw to version 2026.3.28 or later to remediate the vulnerability (CVE-2026-41395).
• Implement server-side logging for all incoming webhook requests, capturing the raw request URL and timestamp. Deploy the Sigma rule Detect Suspicious Webhook Replay to identify potential replay attacks based on duplicate URLs within a short timeframe.
• Consider implementing additional server-side validation of webhook requests, such as verifying the timestamp to ensure it falls within an acceptable window.