CVE-2026-28469

CRITICAL9.8EPSS 0.04%

OpenClaw Google Chat shared-path webhook target ambiguity allowed cross-account policy-context misrouting

發布日:2026/2/18修改日:2026/3/6

描述

## Summary When multiple Google Chat webhook targets are registered on the same HTTP path, and request verification succeeds for more than one target, inbound webhook events could be routed by first-match semantics. This can cause cross-account policy/context misrouting. ## Affected Packages / Versions - npm: `openclaw` <= 2026.2.13 - npm: `clawdbot` <= 2026.1.24-3 ## Details Affected component: `extensions/googlechat/src/monitor.ts`. Baseline behavior allowed multiple webhook targets per path and selected the first target that passed `verifyGoogleChatRequest(...)`. In shared-path deployments where multiple targets can verify successfully (for example, equivalent audience validation), inbound events could be processed under the wrong account context (wrong allowlist/session/policy). ## Fix - Fix commit (merged to `main`): `61d59a802869177d9cef52204767cd83357ab79e` - `openclaw` will be patched in the next planned release: `2026.2.14`. `clawdbot` is a legacy/deprecated package name; no patched version is currently planned. Migrate to `openclaw` and upgrade to `openclaw >= 2026.2.14`. ## Workaround Ensure each Google Chat webhook target uses a unique webhook path so routing is never ambiguous. ## Release Process Note The advisory is pre-populated with the planned patched version. After the npm release is published, the remaining action should be to publish the advisory. Thanks @vincentkoc for reporting. --- Fix commit 61d59a802869177d9cef52204767cd83357ab79e confirmed on main and in v2026.2.14. Upgrade to `openclaw >= 2026.2.14`.

受影響套件(2)

CVSS 分數

來源版本嚴重程度向量
osvCVSS 4.0CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:H/VA:N/SC:L/SI:L/SA:N
osvCVSS 3.1CRITICAL9.8CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

參考連結(6)