{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/50554?format=json","vulnerability_id":"VCID-6g5n-5y59-aqhn","summary":"OpenClaw's voice-call Twilio webhook replay could bypass manager dedupe because normalized event IDs were randomized per parse\nTwilio webhook replay events could bypass voice-call manager dedupe because normalized event IDs were randomized per parse. A replayed event could be treated as new and trigger duplicate or stale call-state transitions.","aliases":[{"alias":"CVE-2026-32053"},{"alias":"GHSA-vqx8-9xxw-f2m7"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/74336?format=json","purl":"pkg:npm/openclaw@2026.2.23","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.2.23"}],"affected_packages":[],"references":[{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/1d28da55a5d0ff409e34999e0961157e9db0a2ab","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/openclaw/openclaw/commit/1d28da55a5d0ff409e34999e0961157e9db0a2ab"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-twilio-webhook-replay-bypass-via-randomized-event-id-normalization","reference_id":"","reference_type":"","scores":[],"url":"https://www.vulncheck.com/advisories/openclaw-twilio-webhook-replay-bypass-via-randomized-event-id-normalization"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-32053","reference_id":"CVE-2026-32053","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-32053"},{"reference_url":"https://github.com/advisories/GHSA-vqx8-9xxw-f2m7","reference_id":"GHSA-vqx8-9xxw-f2m7","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-vqx8-9xxw-f2m7"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-vqx8-9xxw-f2m7","reference_id":"GHSA-vqx8-9xxw-f2m7","reference_type":"","scores":[],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-vqx8-9xxw-f2m7"}],"weaknesses":[{"cwe_id":294,"name":"Authentication Bypass by Capture-replay","description":"A capture-replay flaw exists when the design of the product makes it possible for a malicious user to sniff network traffic and bypass authentication by replaying it to the server in question to the same effect as the original message (or with minor changes)."},{"cwe_id":863,"name":"Incorrect Authorization","description":"The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions."},{"cwe_id":937,"name":"OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities","description":"Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013."},{"cwe_id":1035,"name":"OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities","description":"Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017."}],"exploits":[],"severity_range_score":null,"exploitability":null,"weighted_severity":null,"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-6g5n-5y59-aqhn"}