61 matches found
CVE-2026-35670 OpenClaw < 2026.3.22 - Webhook Reply Rebinding via Username Resolution in Synology Chat
OpenClaw before 2026.3.22 contains a webhook reply delivery vulnerability that allows attackers to rebind chat replies to unintended users by exploiting mutable username matching instead of stable numeric user identifiers. Attackers can manipulate username changes to redirect webhook-triggered...
CVE-2026-35670
OpenClaw/OpenClaw Synology Chat integration is affected: before 2026.3.22, webhook replies can be rebound to unintended users due to mutable username matching instead of the stable numeric user_id recorded by webhook events. This enables attackers to manipulate username changes to redirect webhoo...
GHSA-G8MC-C5F2-MQG7 Duplicate Advisory: OpenClaw Bypasses DM Policy Separation via Synology Chat Webhook Path Collision
Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-rqp8-q22p-5j9q This link is maintained to preserve external references. Original Description OpenClaw before 2026.3.22 contains a webhook path route replacement vulnerability in the Synology Chat extension that...
EUVD-2026-21126
OpenClaw before 2026.3.22 contains a webhook path route replacement vulnerability in the Synology Chat extension that allows attackers to collapse multi-account configurations onto shared webhook paths. Attackers can exploit inherited or duplicate webhook paths to bypass per-account DM access...
Duplicate Advisory: OpenClaw: Synology Chat Webhook Pre-Auth Rate-Limit Bypass Enables Brute-Force Guessing of Webhook Token
Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-mf5g-6r6f-ghhm. This link is maintained to preserve external references. Original Description OpenClaw before 2026.3.25 contains a pre-authentication rate-limit bypass vulnerability in webhook token validation...
Duplicate Advisory: OpenClaw Bypasses DM Policy Separation via Synology Chat Webhook Path Collision
Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-rqp8-q22p-5j9q This link is maintained to preserve external references. Original Description OpenClaw before 2026.3.22 contains a webhook path route replacement vulnerability in the Synology Chat extension that...
CVE-2026-35635
OpenClaw before 2026.3.22 contains a webhook path route replacement vulnerability in the Synology Chat extension that allows attackers to collapse multi-account configurations onto shared webhook paths. Attackers can exploit inherited or duplicate webhook paths to bypass per-account DM access...
CVE-2026-35635 OpenClaw < 2026.3.22 - Webhook Path Route Replacement Vulnerability in Synology Chat
OpenClaw before 2026.3.22 contains a webhook path route replacement vulnerability in the Synology Chat extension that allows attackers to collapse multi-account configurations onto shared webhook paths. Attackers can exploit inherited or duplicate webhook paths to bypass per-account DM access...
CVE-2026-35635 OpenClaw < 2026.3.22 - Webhook Path Route Replacement Vulnerability in Synology Chat
OpenClaw before 2026.3.22 contains a webhook path route replacement vulnerability in the Synology Chat extension that allows attackers to collapse multi-account configurations onto shared webhook paths. Attackers can exploit inherited or duplicate webhook paths to bypass per-account DM access...
CVE-2026-35635
OpenClaw before 2026.3.22 contains a webhook path route replacement vulnerability in the Synology Chat extension that allows attackers to collapse multi-account configurations onto shared webhook paths. Attackers can exploit inherited or duplicate webhook paths to bypass per-account DM access...
CVE-2026-35635
OpenClaw
OpenClaw 安全漏洞
OpenClaw is an open-source intelligent artificial assistant developed by OpenClaw. Versions of OpenClaw prior to 2026.3.22 contained security vulnerabilities. These vulnerabilities were caused by a problem with the Webhook path routing in the Synology Chat extension, which could lead to bypassing...
PT-2026-31770
Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.3.22 Description OpenClaw before version 2026.3.22 contains a webhook path route replacement vulnerability in the Synology Chat extension. This allows attackers to collapse multi-account configurations onto shar...
GHSA-MF5G-6R6F-GHHM OpenClaw: Synology Chat Webhook Pre-Auth Rate-Limit Bypass Enables Brute-Force Guessing of Webhook Token
Summary Synology Chat Webhook Pre-Auth Rate-Limit Bypass Enables Brute-Force Guessing of Weak Webhook Token Affected Packages / Versions - Package: openclaw - Affected versions: = 2026.3.24 - First patched version: 2026.3.25 - Latest published npm version at verification time: 2026.3.24 Details...
OpenClaw: Synology Chat Webhook Pre-Auth Rate-Limit Bypass Enables Brute-Force Guessing of Webhook Token
Summary Synology Chat Webhook Pre-Auth Rate-Limit Bypass Enables Brute-Force Guessing of Weak Webhook Token Affected Packages / Versions - Package: openclaw - Affected versions: = 2026.3.24 - First patched version: 2026.3.25 - Latest published npm version at verification time: 2026.3.24 Details...
Improper Authorization
Overview @openclaw/synology-chat is a Synology Chat channel plugin for OpenClaw Affected versions of this package are vulnerable to Improper Authorization in the webhook process. An attacker can gain unauthorized access to direct message policies by exploiting a path collision in the multi-accoun...
GHSA-RQP8-Q22P-5J9Q OpenClaw Bypasses DM Policy Separation via Synology Chat Webhook Path Collision
Summary Synology Chat multi-account configuration could collapse onto a shared webhook path, replacing route ownership and bypassing per-account DM policy separation. Affected Packages / Versions - Package: openclaw npm - Affected: = 2026.3.22 - Latest released tag checked: v2026.3.23-2...
OpenClaw Bypasses DM Policy Separation via Synology Chat Webhook Path Collision
Summary Synology Chat multi-account configuration could collapse onto a shared webhook path, replacing route ownership and bypassing per-account DM policy separation. Affected Packages / Versions - Package: openclaw npm - Affected: = 2026.3.22 - Latest released tag checked: v2026.3.23-2...
Use of Incorrectly-Resolved Name or Reference
Overview @openclaw/synology-chat is a Synology Chat channel plugin for OpenClaw Affected versions of this package are vulnerable to Use of Incorrectly-Resolved Name or Reference via the webhook-handler process. An attacker can redirect message replies to an unintended user by exploiting mutable...
GHSA-WV46-V6XC-2QHF OpenClaw: Synology Chat reply delivery could be rebound through username-based user resolution.
Summary Synology Chat reply delivery could rebind to a mutable username match instead of the stable numeric userid recorded by the webhook event. Affected Packages / Versions - Package: openclaw npm - Affected: = 2026.3.22 - Latest released tag checked: v2026.3.23-2...