OpenClaw versions before 2026.3.28 contain a webhook replay vulnerability in Plivo V3 signature verification. The vulnerability arises from inconsistent handling of query parameters - the system canonicalizes query ordering for signature verification but hashes raw URLs for replay detection. This allows attackers to reorder query parameters in captured valid signed webhooks to bypass replay cache detection. Successful exploitation can lead to duplicate voice-call processing, potentially causing service disruption or unauthorized actions. The vulnerability affects the webhook security mechanism that is designed to prevent replay attacks.