CVE-2026-35617
Authorization Bypass in OpenClaw Google Chat Group Policy Enforcement
Publication date: 2026-04-09
Last updated on: 2026-04-16
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| openclaw | openclaw | to 2026.3.25 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-807 | The product uses a protection mechanism that relies on the existence or values of an input, but the input can be modified by an untrusted actor in a way that bypasses the protection mechanism. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in OpenClaw versions before 2026.3.25 and involves an authorization bypass in Google Chat group policy enforcement. It occurs because the enforcement relies on mutable space display names, which attackers can manipulate by changing or colliding these names. By doing so, attackers can rebind group policies and gain unauthorized access to protected resources.
How can this vulnerability impact me? :
The vulnerability allows attackers to bypass authorization controls by exploiting mutable space display names in Google Chat group policies. This can lead to unauthorized access to protected resources, potentially exposing sensitive information or allowing actions that should be restricted.