GHSA-rqp8-q22p-5j9q

Suggest an improvement
Source
https://github.com/advisories/GHSA-rqp8-q22p-5j9q
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-rqp8-q22p-5j9q/GHSA-rqp8-q22p-5j9q.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-rqp8-q22p-5j9q
Aliases
  • CVE-2026-35635
Downstream
Published
2026-03-26T21:45:35Z
Modified
2026-04-10T20:34:58.952436Z
Severity
  • 6.9 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N CVSS Calculator
Summary
OpenClaw Bypasses DM Policy Separation via Synology Chat Webhook Path Collision
Details

Summary

Synology Chat multi-account configuration could collapse onto a shared webhook path, replacing route ownership and bypassing per-account DM policy separation.

Affected Packages / Versions

  • Package: openclaw (npm)
  • Affected: < 2026.3.22
  • Fixed: >= 2026.3.22
  • Latest released tag checked: v2026.3.23-2 (630f1479c44f78484dfa21bb407cbe6f171dac87)
  • Latest published npm version checked: 2026.3.23-2

Fix Commit(s)

  • 980940aa58f862da4e19372597bbc2a9f268d70b

Release Status

The fix shipped in v2026.3.22 and remains present in v2026.3.23 and v2026.3.23-2.

Code-Level Confirmation

  • extensions/synology-chat/src/accounts.ts now distinguishes inherited base webhook paths from explicit per-account paths.
  • extensions/synology-chat/src/gateway-runtime.ts now fails closed on inherited or duplicate webhook paths and registers routes without replacement.

OpenClaw thanks @tdjackey for reporting.

Database specific
{
    "cwe_ids": [
        "CWE-285"
    ],
    "github_reviewed_at": "2026-03-26T21:45:35Z",
    "github_reviewed": true,
    "nvd_published_at": null,
    "severity": "MODERATE"
}
References

Affected packages

npm / openclaw

Package

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2026.3.22

Database specific

source
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-rqp8-q22p-5j9q/GHSA-rqp8-q22p-5j9q.json"