Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
2.1
Google Chat Spoofing Risk with OpenClaw: Email Spoofing Possible
GHSA-chm2-m3w2-wcxm
Summary
OpenClaw, a Google Chat integration, has a flaw that allows attackers with high-level access to Google Workspace to pretend to be a legitimate sender. This means that even if you've set up allowlists to only accept messages from specific users, an attacker could potentially send malicious messages that appear to come from a trusted source. To protect yourself, update OpenClaw to the latest version.
What to do
- Update steipete openclaw to version 2026.2.14.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| steipete | openclaw | <= 2026.2.14 | 2026.2.14 |
| steipete | clawdbot | <= 2026.1.24-3 | – |
Original title
OpenClaw Google Chat spoofing access with allowlist authorized mutable email principal despite sender-ID mismatch
Original description
### Summary
Google Chat allowlisting supports matching by sender email in addition to immutable sender resource name (`users/<id>`). This weakens identity binding if a deployment assumes allowlists are strictly keyed by immutable principals.
### Affected Packages / Versions
(As of 2026-02-14; based on latest published npm versions)
- `openclaw` (npm): `<= 2026.2.13`
- `clawdbot` (npm): `<= 2026.1.24-3`
### Details
Affected component:
- `extensions/googlechat/src/monitor.ts`
The `allowFrom` checks accept:
- Immutable sender id (`users/<id>`)
- Raw email (`[email protected]`) for usability
Historically, `users/<email>` was also treated as an email allowlist entry. This is now deprecated because it looks like an immutable ID but is actually a mutable principal.
### Security Triage (2026-02-14)
Severity: **Low**
Rationale:
- Requests are authenticated as coming from Google Chat (token verification), so this is not a generic unauthenticated spoofing vector.
- A realistic exploit generally requires **Google Workspace / IdP administrative control** over identity lifecycle (e.g. reassigning an email address to a different underlying account) to obtain the same email with a different `users/<id>`.
- With that level of access, the attacker typically has broader compromise paths.
We still treat it as a valid defense-in-depth report because accepting mutable principals in authorization decisions can increase risk in chained-failure scenarios.
### Remediation / Behavior Changes
Goal: preserve usability while reducing footguns.
- Raw email allowlists remain supported.
- `users/<email>` is deprecated and treated as a **user id**, not as an email allowlist.
- Documentation recommends `users/<id>` when strict immutable binding is required.
### Fix Commit(s)
- `c8424bf29a921e25663b29f308640b3d91a49432` (PR #16243)
Thanks @vincentkoc for reporting.
Google Chat allowlisting supports matching by sender email in addition to immutable sender resource name (`users/<id>`). This weakens identity binding if a deployment assumes allowlists are strictly keyed by immutable principals.
### Affected Packages / Versions
(As of 2026-02-14; based on latest published npm versions)
- `openclaw` (npm): `<= 2026.2.13`
- `clawdbot` (npm): `<= 2026.1.24-3`
### Details
Affected component:
- `extensions/googlechat/src/monitor.ts`
The `allowFrom` checks accept:
- Immutable sender id (`users/<id>`)
- Raw email (`[email protected]`) for usability
Historically, `users/<email>` was also treated as an email allowlist entry. This is now deprecated because it looks like an immutable ID but is actually a mutable principal.
### Security Triage (2026-02-14)
Severity: **Low**
Rationale:
- Requests are authenticated as coming from Google Chat (token verification), so this is not a generic unauthenticated spoofing vector.
- A realistic exploit generally requires **Google Workspace / IdP administrative control** over identity lifecycle (e.g. reassigning an email address to a different underlying account) to obtain the same email with a different `users/<id>`.
- With that level of access, the attacker typically has broader compromise paths.
We still treat it as a valid defense-in-depth report because accepting mutable principals in authorization decisions can increase risk in chained-failure scenarios.
### Remediation / Behavior Changes
Goal: preserve usability while reducing footguns.
- Raw email allowlists remain supported.
- `users/<email>` is deprecated and treated as a **user id**, not as an email allowlist.
- Documentation recommends `users/<id>` when strict immutable binding is required.
### Fix Commit(s)
- `c8424bf29a921e25663b29f308640b3d91a49432` (PR #16243)
Thanks @vincentkoc for reporting.
ghsa CVSS4.0
2.1
Vulnerability type
CWE-290
CWE-863
Incorrect Authorization
- https://github.com/openclaw/openclaw/security/advisories/GHSA-chm2-m3w2-wcxm
- https://github.com/openclaw/openclaw/pull/16243
- https://github.com/openclaw/openclaw/commit/c8424bf29a921e25663b29f308640b3d91a4...
- https://github.com/openclaw/openclaw/releases/tag/v2026.2.14
- https://github.com/advisories/GHSA-chm2-m3w2-wcxm
Published: 17 Feb 2026 · Updated: 7 Mar 2026 · First seen: 6 Mar 2026