CVE-2026-35622 OpenClaw < 2026.3.22 - Improper Authentication Verification in Google Chat Webhook

OpenClaw before 2026.3.22 contains an improper authentication verification vulnerability in Google Chat app-url webhook handling that accepts add-on principals outside intended deployment bindings. Attackers can bypass webhook authentication by providing non-deployment add-on principals to execut...

CVE-2026-35622

OpenClaw (npm package) before 2026.3.22 contains an improper authentication verification in Google Chat app-url webhook handling, allowing attackers to bypass webhook authentication by supplying non-deployment add-on principals and perform unauthorized actions through the Google Chat integration....

Incorrect Authorization

Overview @openclaw/mattermost is an OpenClaw Mattermost channel plugin Affected versions of this package are vulnerable to Incorrect Authorization in the auth process. An attacker can gain unauthorized access by sending requests with add-on principals that are not bound to the intended deployment...

GHSA-MP66-RF4F-MHH8 OpenClaw: Google Chat app-url webhook auth accepted non-deployment add-on principals

Summary Google Chat app-url webhook verification accepted add-on principals outside the intended deployment binding. Affected Packages / Versions - Package: openclaw npm - Affected: = 2026.3.22 - Latest released tag checked: v2026.3.23-2 630f1479c44f78484dfa21bb407cbe6f171dac87 - Latest published...