CVE-2026-32053 PUBLISHED

OpenClaw < 2026.2.23 - Twilio Webhook Replay Bypass via Randomized Event ID Normalization

Assigner: VulnCheck
Reserved: 10.03.2026 Published: 21.03.2026 Updated: 21.03.2026

OpenClaw versions prior to 2026.2.23 contain a vulnerability in Twilio webhook event deduplication where normalized event IDs are randomized per parse, allowing replay events to bypass manager dedupe checks. Attackers can replay Twilio webhook events to trigger duplicate or stale call-state transitions, potentially causing incorrect call handling and state corruption.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N
CVSS Score: 6.9

Product Status

Vendor OpenClaw
Product OpenClaw
Versions Default: unaffected
  • affected from 0 to 2026.2.23 (excl.)
  • Version 2026.2.23 is unaffected

Credits

  • Jisung (@jiseoung) reporter

References

Problem Types

  • CWE-294 Authentication Bypass by Capture-replay CWE