@openclaw/zalo 2026.3.2

Direct Vulnerabilities

Known vulnerabilities in the @openclaw/zalo package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
M Expected Behavior Violation @openclaw/zalo is an OpenClaw Zalo channel plugin Affected versions of this package are vulnerable to Expected Behavior Violation due to insufficient scoping of replay deduplication keys in webhook event processing. An attacker can cause legitimate messages from different conversations or senders to be suppressed by triggering cross-conversation or cross-sender collisions. How to fix Expected Behavior Violation? A fix was pushed into the `master` branch but not yet published.	*
L Replay Attack @openclaw/zalo is an OpenClaw Zalo channel plugin Affected versions of this package are vulnerable to Replay Attack in the replay deduplication process. An attacker can bypass intended access restrictions by reusing `messageId` values across authenticated sibling-target delivery paths. How to fix Replay Attack? A fix was pushed into the `master` branch but not yet published.	>=0.0.0
M Incorrect Authorization @openclaw/zalo is an OpenClaw Zalo channel plugin Affected versions of this package are vulnerable to Incorrect Authorization via the `media download` process. An attacker can trigger unauthorized network fetches and disk writes by sending crafted messages to Zalo channels, causing the application to store inbound media before validating sender authorization. How to fix Incorrect Authorization? A fix was pushed into the `master` branch but not yet published.	>=0.0.0
M Brute Force @openclaw/zalo is an OpenClaw Zalo channel plugin Affected versions of this package are vulnerable to Brute Force via the `Zalo webhook handler`. An attacker can repeatedly attempt to guess webhook secrets without triggering rate limiting by sending requests with invalid secrets, as these requests are not counted against the rate limiter. This allows brute-force attacks to be conducted more easily. Note: CVE-2026-34508 is a duplicate of this vulnerability. How to fix Brute Force? Upgrade `@openclaw/zalo` to version 2026.3.12 or higher.	<2026.3.12

Vulnerability

Vulnerable Version

Expected Behavior Violation

@openclaw/zalo is an OpenClaw Zalo channel plugin

Affected versions of this package are vulnerable to Expected Behavior Violation due to insufficient scoping of replay deduplication keys in webhook event processing. An attacker can cause legitimate messages from different conversations or senders to be suppressed by triggering cross-conversation or cross-sender collisions.

How to fix Expected Behavior Violation?

A fix was pushed into the master branch but not yet published.

Replay Attack

@openclaw/zalo is an OpenClaw Zalo channel plugin

Affected versions of this package are vulnerable to Replay Attack in the replay deduplication process. An attacker can bypass intended access restrictions by reusing messageId values across authenticated sibling-target delivery paths.

How to fix Replay Attack?

A fix was pushed into the master branch but not yet published.

>=0.0.0

Incorrect Authorization

@openclaw/zalo is an OpenClaw Zalo channel plugin

Affected versions of this package are vulnerable to Incorrect Authorization via the media download process. An attacker can trigger unauthorized network fetches and disk writes by sending crafted messages to Zalo channels, causing the application to store inbound media before validating sender authorization.

How to fix Incorrect Authorization?

A fix was pushed into the master branch but not yet published.

>=0.0.0

Brute Force

@openclaw/zalo is an OpenClaw Zalo channel plugin

Affected versions of this package are vulnerable to Brute Force via the Zalo webhook handler. An attacker can repeatedly attempt to guess webhook secrets without triggering rate limiting by sending requests with invalid secrets, as these requests are not counted against the rate limiter. This allows brute-force attacks to be conducted more easily.

Note:

CVE-2026-34508 is a duplicate of this vulnerability.

How to fix Brute Force?

Upgrade @openclaw/zalo to version 2026.3.12 or higher.

<2026.3.12

@openclaw/zalo@2026.3.2

OpenClaw Zalo channel plugin

latest version

first published

latest version published

Direct Vulnerabilities

Fix vulnerabilities automatically