GHSA-rq6g-px6m-c248

Source

https://github.com/advisories/GHSA-rq6g-px6m-c248

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-rq6g-px6m-c248/GHSA-rq6g-px6m-c248.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-rq6g-px6m-c248

Aliases

CVE-2026-28469

Published

2026-02-18T00:54:14Z

Modified

2026-03-06T01:16:17.422593Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
8.3 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:H/VA:N/SC:L/SI:L/SA:N CVSS Calculator

Summary

OpenClaw Google Chat shared-path webhook target ambiguity allowed cross-account policy-context misrouting

Details

Summary

When multiple Google Chat webhook targets are registered on the same HTTP path, and request verification succeeds for more than one target, inbound webhook events could be routed by first-match semantics. This can cause cross-account policy/context misrouting.

Affected Packages / Versions

npm: openclaw <= 2026.2.13
npm: clawdbot <= 2026.1.24-3

Details

Affected component: extensions/googlechat/src/monitor.ts.

Baseline behavior allowed multiple webhook targets per path and selected the first target that passed verifyGoogleChatRequest(...). In shared-path deployments where multiple targets can verify successfully (for example, equivalent audience validation), inbound events could be processed under the wrong account context (wrong allowlist/session/policy).

Fix

Fix commit (merged to main): 61d59a802869177d9cef52204767cd83357ab79e
openclaw will be patched in the next planned release: 2026.2.14.

clawdbot is a legacy/deprecated package name; no patched version is currently planned. Migrate to openclaw and upgrade to openclaw >= 2026.2.14.

Workaround

Ensure each Google Chat webhook target uses a unique webhook path so routing is never ambiguous.

Release Process Note

The advisory is pre-populated with the planned patched version. After the npm release is published, the remaining action should be to publish the advisory.

Thanks @vincentkoc for reporting.

Fix commit 61d59a802869177d9cef52204767cd83357ab79e confirmed on main and in v2026.2.14. Upgrade to openclaw >= 2026.2.14.

Database specific

{
    "github_reviewed": true,
    "github_reviewed_at": "2026-02-18T00:54:14Z",
    "cwe_ids": [
        "CWE-284",
        "CWE-639"
    ],
    "severity": "HIGH",
    "nvd_published_at": "2026-03-05T22:16:20Z"
}

References

Affected packages

npm / openclaw

Package

Name: openclaw; View open source insights on deps.dev
Purl: pkg:npm/openclaw

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2026.2.14

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-rq6g-px6m-c248/GHSA-rq6g-px6m-c248.json"

npm / clawdbot

Package

Name: clawdbot; View open source insights on deps.dev
Purl: pkg:npm/clawdbot

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Last affected

2026.1.24-3

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-rq6g-px6m-c248/GHSA-rq6g-px6m-c248.json"