Description
OpenClaw before 2026.3.22 contains a webhook path route replacement vulnerability in the Synology Chat extension that allows attackers to collapse multi-account configurations onto shared webhook paths. Attackers can exploit inherited or duplicate webhook paths to bypass per-account DM access control policies and replace route ownership across accounts.
Published: 2026-04-09
Score: 6.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Access to Direct Messages
Action: Immediate Patch
AI Analysis

Impact

OpenClaw before version 2026.3.22 has a webhook path route replacement issue in the Synology Chat extension that lets an attacker collapse multiple account configurations onto shared webhook paths. By doing so, the attacker can bypass per‑account direct message access controls and take over route ownership across accounts, allowing them to read or send messages in accounts they do not own. The weakness falls under CWE‑706 and CWE‑863.

Affected Systems

This vulnerability affects the OpenClaw platform when used in the Synology Chat extension. All installations running an OpenClaw version earlier than 2026.3.22 are potentially impacted. The affected software runs on a Node.js environment as indicated by the CPE entry.

Risk and Exploitability

The CVSS score of 6.3 indicates a moderate severity, and the vulnerability is considered exploitable over network channels that provide access to the Synology Chat webhook endpoint. No explicit exploit conditions were listed, but the attack vector is inferred to be remote via crafted HTTP requests to the webhook path. The vulnerability is not listed in the CISA KEV catalog, and the EPSS score of less than 1 % suggests a low probability of exploitation but still warrants attention.

Generated by OpenCVE AI on April 15, 2026 at 22:33 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OpenClaw to version 2026.3.22 or later, which contains the fixed webhook path route replacement logic.
  • Limit access to the Synology Chat webhook endpoint to trusted IP ranges or authenticated users to prevent arbitrary remote requests.
  • Monitor webhook configuration logs for unexpected path changes and enforce a policy that each account maintains a unique, non‑shared webhook path.

Generated by OpenCVE AI on April 15, 2026 at 22:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-rqp8-q22p-5j9q OpenClaw Bypasses DM Policy Separation via Synology Chat Webhook Path Collision
History

Wed, 15 Apr 2026 17:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-863

Mon, 13 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 09 Apr 2026 21:45:00 +0000

Type Values Removed Values Added
Description OpenClaw before 2026.3.22 contains a webhook path route replacement vulnerability in the Synology Chat extension that allows attackers to collapse multi-account configurations onto shared webhook paths. Attackers can exploit inherited or duplicate webhook paths to bypass per-account DM access control policies and replace route ownership across accounts.
Title OpenClaw < 2026.3.22 - Webhook Path Route Replacement Vulnerability in Synology Chat
First Time appeared Openclaw
Openclaw openclaw
Weaknesses CWE-706
CPEs cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*
Vendors & Products Openclaw
Openclaw openclaw
References
Metrics cvssV3_1

{'score': 4.8, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N'}

cvssV4_0

{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Openclaw Openclaw
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-13T18:11:18.830Z

Reserved: 2026-04-04T12:29:42.739Z

Link: CVE-2026-35635

cve-icon Vulnrichment

Updated: 2026-04-13T18:11:01.507Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-09T22:16:32.567

Modified: 2026-04-15T17:00:10.853

Link: CVE-2026-35635

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T22:45:16Z

Weaknesses