Get a Demo

Let's Patch It!

Book a short call with one our specialists, we'll walk you through how Endor Patches work, and ask you a few questions about your environment (like your primary programming languages and repository management). We'll also send you an email right after you fill out the form, feel free to reply with any questions you have in advance!

CVE

CVE-2026-28469

OpenClaw Google Chat shared-path webhook target ambiguity allowed cross-account policy-context misrouting
Back to all
CVE

CVE-2026-28469

OpenClaw Google Chat shared-path webhook target ambiguity allowed cross-account policy-context misrouting

Summary

When multiple Google Chat webhook targets are registered on the same HTTP path, and request verification succeeds for more than one target, inbound webhook events could be routed by first-match semantics. This can cause cross-account policy/context misrouting.

Affected Packages / Versions

  • npm: openclaw <= 2026.2.13
  • npm: clawdbot <= 2026.1.24-3

Details

Affected component: extensions/googlechat/src/monitor.ts.

Baseline behavior allowed multiple webhook targets per path and selected the first target that passed verifyGoogleChatRequest(...). In shared-path deployments where multiple targets can verify successfully (for example, equivalent audience validation), inbound events could be processed under the wrong account context (wrong allowlist/session/policy).

Fix

  • Fix commit (merged to main): 61d59a802869177d9cef52204767cd83357ab79e
  • openclaw will be patched in the next planned release: 2026.2.14.

clawdbot is a legacy/deprecated package name; no patched version is currently planned. Migrate to openclaw and upgrade to openclaw >= 2026.2.14.

Workaround

Ensure each Google Chat webhook target uses a unique webhook path so routing is never ambiguous.

Release Process Note

The advisory is pre-populated with the planned patched version. After the npm release is published, the remaining action should be to publish the advisory.

Thanks @vincentkoc for reporting.

---

Fix commit 61d59a802869177d9cef52204767cd83357ab79e confirmed on main and in v2026.2.14. Upgrade to openclaw >= 2026.2.14.

Package Versions Affected

Package Version
patch Availability
No items found.

Automatically patch vulnerabilities without upgrading

Fix Without Upgrading
Detect compatible fix
Apply safe remediation
Fix with a single pull request

CVSS Version

Severity
Base Score
CVSS Version
Score Vector
C
H
U
8.2
-
4.0
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
C
H
U
0
-
3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
C
H
U
7.5
-
3.1
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:H/A:N

Related Resources

No items found.

References

https://github.com/openclaw/openclaw/security/advisories/GHSA-rq6g-px6m-c248, https://nvd.nist.gov/vuln/detail/CVE-2026-28469, https://github.com/openclaw/openclaw/commit/61d59a802869177d9cef52204767cd83357ab79e, https://github.com/openclaw/openclaw, https://github.com/openclaw/openclaw/releases/tag/v2026.2.14, https://www.vulncheck.com/advisories/openclaw-cross-account-policy-context-misrouting-via-shared-webhook-path-ambiguity

Severity

7.5

CVSS Score
0
10

Basic Information

Ecosystem
Base CVSS
7.5
EPSS Probability
0.0004%
EPSS Percentile
0.12074%
Introduced Version
0,2026.1.29-beta.1,2026.1.27-beta.1,2026.1.24
Fix Available
2026.2.14

Fix Critical Vulnerabilities Instantly

Secure your app without upgrading.
Fix Without Upgrading