@openclaw/zalo 2026.5.2-beta.2

Direct Vulnerabilities

Known vulnerabilities in the @openclaw/zalo package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
M Expected Behavior Violation @openclaw/zalo is an OpenClaw Zalo channel plugin Affected versions of this package are vulnerable to Expected Behavior Violation due to insufficient scoping of replay deduplication keys in webhook event processing. An attacker can cause legitimate messages from different conversations or senders to be suppressed by triggering cross-conversation or cross-sender collisions. How to fix Expected Behavior Violation? Upgrade `@openclaw/zalo` to version 2026.5.2 or higher.	<2026.5.2
L Replay Attack @openclaw/zalo is an OpenClaw Zalo channel plugin Affected versions of this package are vulnerable to Replay Attack in the replay deduplication process. An attacker can bypass intended access restrictions by reusing `messageId` values across authenticated sibling-target delivery paths. How to fix Replay Attack? Upgrade `@openclaw/zalo` to version 2026.5.2 or higher.	<2026.5.2
M Incorrect Authorization @openclaw/zalo is an OpenClaw Zalo channel plugin Affected versions of this package are vulnerable to Incorrect Authorization via the `media download` process. An attacker can trigger unauthorized network fetches and disk writes by sending crafted messages to Zalo channels, causing the application to store inbound media before validating sender authorization. How to fix Incorrect Authorization? Upgrade `@openclaw/zalo` to version 2026.5.2 or higher.	<2026.5.2

Vulnerability

Vulnerable Version

Expected Behavior Violation

@openclaw/zalo is an OpenClaw Zalo channel plugin

Affected versions of this package are vulnerable to Expected Behavior Violation due to insufficient scoping of replay deduplication keys in webhook event processing. An attacker can cause legitimate messages from different conversations or senders to be suppressed by triggering cross-conversation or cross-sender collisions.

How to fix Expected Behavior Violation?

Upgrade @openclaw/zalo to version 2026.5.2 or higher.

<2026.5.2

Replay Attack

@openclaw/zalo is an OpenClaw Zalo channel plugin

Affected versions of this package are vulnerable to Replay Attack in the replay deduplication process. An attacker can bypass intended access restrictions by reusing messageId values across authenticated sibling-target delivery paths.

How to fix Replay Attack?

Upgrade @openclaw/zalo to version 2026.5.2 or higher.

<2026.5.2

Incorrect Authorization

@openclaw/zalo is an OpenClaw Zalo channel plugin

Affected versions of this package are vulnerable to Incorrect Authorization via the media download process. An attacker can trigger unauthorized network fetches and disk writes by sending crafted messages to Zalo channels, causing the application to store inbound media before validating sender authorization.

How to fix Incorrect Authorization?

Upgrade @openclaw/zalo to version 2026.5.2 or higher.

<2026.5.2

@openclaw/zalo@2026.5.2-beta.2

OpenClaw Zalo channel plugin

latest version

latest non vulnerable version

first published

latest version published

Direct Vulnerabilities

Fix vulnerabilities automatically