GHSA-52q4-3xjc-6778

Suggest an improvement
Source
https://github.com/advisories/GHSA-52q4-3xjc-6778
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-52q4-3xjc-6778/GHSA-52q4-3xjc-6778.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-52q4-3xjc-6778
Published
2026-03-29T15:48:15Z
Modified
2026-03-29T16:04:55.196886Z
Summary
OpenClaw: Google Chat Authz Bypass via Group Policy Rebinding with Mutable Space displayName
Details

Summary

Google Chat Authz Bypass via Group Policy Rebinding with Mutable Space displayName

Affected Packages / Versions

  • Package: openclaw
  • Affected versions: <= 2026.3.24
  • First patched version: 2026.3.25
  • Latest published npm version at verification time: 2026.3.24

Details

Google Chat group authorization previously relied on mutable space display names, which allowed policy rebinding when names changed or collided. Commit 11ea1f67863d88b6cbcb229dd368a45e07094bff requires stable group IDs for access decisions.

Verified vulnerable on tag v2026.3.24 and fixed on main by commit 11ea1f67863d88b6cbcb229dd368a45e07094bff.

Fix Commit(s)

  • 11ea1f67863d88b6cbcb229dd368a45e07094bff
Database specific 
{
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-29T15:48:15Z",
    "severity": "MODERATE",
    "nvd_published_at": null,
    "cwe_ids": [
        "CWE-639",
        "CWE-807",
        "CWE-863"
    ]
}
References

Affected packages

npm / openclaw

Package

Name
openclaw
View open source insights on deps.dev
Purl
pkg:npm/openclaw

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2026.3.28

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-52q4-3xjc-6778/GHSA-52q4-3xjc-6778.json"
last_known_affected_version_range 
"<= 2026.3.24"