Description
OpenClaw versions prior to 2026.2.14 contain a webhook routing vulnerability in the Google Chat monitor component that allows cross-account policy context misrouting when multiple webhook targets share the same HTTP path. Attackers can exploit first-match request verification semantics to process inbound webhook events under incorrect account contexts, bypassing intended allowlists and session policies.
Published: 2026-03-05
Score: 8.2 High
EPSS: < 1% Very Low
KEV: No
Impact: Account context bypass via webhook routing
Action: Patch Immediately
AI Analysis

Impact

OpenClaw versions before 2026.2.14 suffer a webhook routing flaw in the Google Chat monitor component. The flaw is a CWE-639 authority abuse weakness, allowing requests sent to a shared HTTP path to be processed under an account context that does not match the origin, effectively bypassing account‑specific allowlists and session policies. This misrouting can lead to unauthorized handling of webhook events as if they were intended for a different account, compromising confidentiality and integrity of account data.

Affected Systems

The vulnerability affects OpenClaw’s webhook services running any version prior to 2026.2.14. The affected product is OpenClaw, and all instances that expose the Google Chat monitor webhook on shared paths are susceptible. No other vendor or product is affected.

Risk and Exploitability

The CVSS base score of 8.2 indicates high severity, while the EPSS score of less than 1% suggests a low probability of exploitation in the wild, and the vulnerability is not listed in the CISA KEV catalog. Attackers could exploit the first‑match request verification behavior by sending crafted webhook traffic to a shared path, thereby causing the system to treat them as belonging to another account. The required conditions are minimal: an attacker must be able to generate a Google Chat webhook event that targets the vulnerable path, which can be achieved by a compromised client or by abuse of legitimate webhook endpoints.

Generated by OpenCVE AI on April 17, 2026 at 12:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OpenClaw to version 2026.2.14 or later
  • Configure distinct webhook paths or separate endpoints for each account to eliminate path ambiguity
  • Implement strict request origin validation and enforce account‑specific allowlists for all webhook traffic

Generated by OpenCVE AI on April 17, 2026 at 12:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-rq6g-px6m-c248 OpenClaw Google Chat shared-path webhook target ambiguity allowed cross-account policy-context misrouting
History

Mon, 09 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 06 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N'}

Thu, 05 Mar 2026 22:15:00 +0000

Type Values Removed Values Added
Description OpenClaw versions prior to 2026.2.14 contain a webhook routing vulnerability in the Google Chat monitor component that allows cross-account policy context misrouting when multiple webhook targets share the same HTTP path. Attackers can exploit first-match request verification semantics to process inbound webhook events under incorrect account contexts, bypassing intended allowlists and session policies.
Title OpenClaw < 2026.2.14 - Cross-Account Policy Context Misrouting via Shared Webhook Path Ambiguity
First Time appeared Openclaw
Openclaw openclaw
Weaknesses CWE-639
CPEs cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*
Vendors & Products Openclaw
Openclaw openclaw
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 8.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Openclaw Openclaw
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-09T18:02:19.456Z

Reserved: 2026-02-27T19:19:10.890Z

Link: CVE-2026-28469

cve-icon Vulnrichment

Updated: 2026-03-09T18:02:13.901Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-05T22:16:20.407

Modified: 2026-03-09T20:29:33.457

Link: CVE-2026-28469

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T12:45:16Z

Weaknesses