Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
8.2
Google Chat Monitor in OpenClaw has a Webhook Routing Flaw
CVE-2026-28469
GHSA-rq6g-px6m-c248
Summary
OpenClaw versions before 2026.2.14 have a security issue with Google Chat monitoring. An attacker could use this to access data meant for other accounts by setting up multiple webhooks with the same path. To fix, update to OpenClaw 2026.2.14 or later.
What to do
- Update steipete openclaw to version 2026.2.14.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| steipete | openclaw | <= 2026.2.14 | 2026.2.14 |
| steipete | clawdbot | <= 2026.1.24-3 | – |
| openclaw | openclaw | <= 2026.2.14 | – |
Original title
OpenClaw versions prior to 2026.2.14 contain a webhook routing vulnerability in the Google Chat monitor component that allows cross-account policy context misrouting when multiple webhook targets s...
Original description
OpenClaw versions prior to 2026.2.14 contain a webhook routing vulnerability in the Google Chat monitor component that allows cross-account policy context misrouting when multiple webhook targets share the same HTTP path. Attackers can exploit first-match request verification semantics to process inbound webhook events under incorrect account contexts, bypassing intended allowlists and session policies.
nvd CVSS3.1
7.5
nvd CVSS4.0
8.2
Vulnerability type
CWE-639
Authorization Bypass Through User-Controlled Key
CWE-284
Improper Access Control
- https://github.com/openclaw/openclaw/commit/61d59a802869177d9cef52204767cd83357a...
- https://github.com/openclaw/openclaw/security/advisories/GHSA-rq6g-px6m-c248
- https://www.vulncheck.com/advisories/openclaw-cross-account-policy-context-misro...
- https://github.com/openclaw/openclaw/releases/tag/v2026.2.14
- https://nvd.nist.gov/vuln/detail/CVE-2026-28469
- https://github.com/advisories/GHSA-rq6g-px6m-c248
Published: 5 Mar 2026 · Updated: 13 Mar 2026 · First seen: 6 Mar 2026