CVE-2026-35622
Authentication Bypass in OpenClaw Google Chat Webhook Integration
Publication date: 2026-04-09
Last updated on: 2026-04-17
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| openclaw | openclaw | to 2026.3.22 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-290 | This attack-focused weakness is caused by incorrectly implemented authentication schemes that are subject to spoofing attacks. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in OpenClaw versions before 2026.3.22 and involves improper authentication verification in the Google Chat app-url webhook handling. Specifically, the system incorrectly accepts add-on principals that are outside the intended deployment bindings. This flaw allows attackers to bypass webhook authentication by using non-deployment add-on principals, enabling them to perform unauthorized actions through the Google Chat integration.
How can this vulnerability impact me? :
The vulnerability can lead to unauthorized actions being executed through the Google Chat integration. Attackers who exploit this flaw can bypass authentication controls, potentially causing integrity issues by performing actions they should not be allowed to. Although it does not directly affect availability, the compromise of integrity and limited confidentiality impact could lead to misuse or manipulation of the system.