anonhaven
Ad

CVE-2026-28469

HIGH CVSS 4.0: 8.2 EPSS 0.04%
Updated Mar 05, 2026
Google
Parameter Value
CVSS 8.2 (HIGH)
Affected Versions before 2026.2.14
Type CWE-639 (Authorization Bypass (Обход авторизации))
Vendor Google
Public PoC No

OpenClaw versions prior to 2026.2.14 contain a webhook routing vulnerability in the Google Chat monitor component that allows cross-account policy context misrouting when multiple webhook targets share the same HTTP path. Attackers can exploit first-match request verification semantics to process inbound webhook events under incorrect account contexts, bypassing intended allowlists and session policies.

Attack Parameters

Attack Vector
Network
Атака возможна удалённо
Attack Complexity
Low
Легко эксплуатировать
Attack Requirements
Present
Нужны дополнительные условия
Privileges Required
None
Права не нужны
User Interaction
None
Не нужно действие пользователя

Impact Assessment

Confidentiality
None
Нет утечки данных
Integrity
High
Полная модификация данных
Availability
None
Нет нарушения работы

CVSS Vector v4.0

Weakness Type (CWE)

CWE-639 Authorization Bypass (Обход авторизации)

References 3

https://github.com/openclaw/openclaw/commit/61d59a802869177d9cef52204767cd83357…
disclosure@vulncheck.com
https://github.com/openclaw/openclaw/security/advisories/GHSA-rq6g-px6m-c248
disclosure@vulncheck.com
https://www.vulncheck.com/advisories/openclaw-cross-account-policy-context-misr…
disclosure@vulncheck.com
Share Post Share Share Share

Related Vulnerabilities

CVE-2026-2830

Google

6.1

CVE-2026-2589

Google

5.3

CVE-2026-3136

Google

8.6

CVE-2026-3223

Google

8.4

CVE-2026-2244

Google

8.4