Description
OpenClaw before 2026.3.22 contains an improper authentication verification vulnerability in Google Chat app-url webhook handling that accepts add-on principals outside intended deployment bindings. Attackers can bypass webhook authentication by providing non-deployment add-on principals to execute unauthorized actions through the Google Chat integration.
Published: 2026-04-09
Score: 6 Medium
EPSS: n/a
KEV: No
Impact: Unauthorized execution via Google Chat webhook
Action: Immediate Patch
AI Analysis

Impact

OpenClaw prior to version 2026.3.22 fails to properly verify authentication for the Google Chat app‑url webhook. The flaw allows attackers to supply add‑on principals that are not bound to the intended deployment, effectively bypassing the webhook’s authentication checks. As a result, an attacker can trigger unauthorized actions through the Google Chat integration, such as sending deceptive messages or manipulating the add‑on’s state.

Affected Systems

The vulnerability affects the OpenClaw product from OpenClaw. All deployments using OpenClaw versions earlier than 2026.3.22 are susceptible. The issue is tied to the Node.js runtime as indicated in the product’s CPE model, but the vulnerability itself resides in the OpenClaw application logic.

Risk and Exploitability

The CVSS score is 6, indicating a moderate severity. No EPSS score is available and the vulnerability is not listed in CISA’s KEV catalog, suggesting limited exploitation evidence to date. The likely attack vector involves sending crafted webhook requests to the Google Chat integration endpoint; successful exploitation results in unauthorized execution of add‑on actions, leading to potential confidentiality or integrity breaches of the chat environment. While no public exploits are known, the moderate score and the ease of triggering the webhook make it a significant risk for users who rely on Google Chat add‑ons.

Generated by OpenCVE AI on April 9, 2026 at 22:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply OpenClaw version 2026.3.22 or later.

Generated by OpenCVE AI on April 9, 2026 at 22:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 09 Apr 2026 21:45:00 +0000

Type Values Removed Values Added
Description OpenClaw before 2026.3.22 contains an improper authentication verification vulnerability in Google Chat app-url webhook handling that accepts add-on principals outside intended deployment bindings. Attackers can bypass webhook authentication by providing non-deployment add-on principals to execute unauthorized actions through the Google Chat integration.
Title OpenClaw < 2026.3.22 - Improper Authentication Verification in Google Chat Webhook
First Time appeared Openclaw
Openclaw openclaw
Weaknesses CWE-290
CPEs cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*
Vendors & Products Openclaw
Openclaw openclaw
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:N'}

cvssV4_0

{'score': 6, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Openclaw Openclaw
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-09T21:26:52.214Z

Reserved: 2026-04-04T12:28:49.756Z

Link: CVE-2026-35622

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-09T22:16:30.340

Modified: 2026-04-09T22:16:30.340

Link: CVE-2026-35622

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-10T09:28:40Z

Weaknesses