CVE-2026-28469
Published: 05 March 2026
Summary
CVE-2026-28469 is a high-severity Authorization Bypass Through User-Controlled Key (CWE-639) vulnerability in Openclaw Openclaw. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 12.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability allows unauthenticated network attackers to send crafted requests to a public-facing Google Chat webhook endpoint, exploiting routing/authorization logic to bypass allowlists and session policies under incorrect account contexts. This directly matches exploitation of a public-facing application for initial access or unauthorized processing.
NVD Description
OpenClaw versions prior to 2026.2.14 contain a webhook routing vulnerability in the Google Chat monitor component that allows cross-account policy context misrouting when multiple webhook targets share the same HTTP path. Attackers can exploit first-match request verification semantics to process…
more
inbound webhook events under incorrect account contexts, bypassing intended allowlists and session policies.
Deeper analysisAI
OpenClaw versions prior to 2026.2.14 are affected by CVE-2026-28469, a webhook routing vulnerability in the Google Chat monitor component. The issue arises from cross-account policy context misrouting when multiple webhook targets share the same HTTP path. It exploits first-match request verification semantics, enabling inbound webhook events to be processed under incorrect account contexts and bypassing intended allowlists and session policies. The vulnerability is rated with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N) and is associated with CWE-639 (Authorization Bypass Through User-Controlled Key).
Unauthenticated attackers with network access can exploit this vulnerability by sending crafted webhook requests to the affected Google Chat monitor endpoint. Due to the low attack complexity and lack of required privileges or user interaction, exploitation involves targeting shared HTTP paths across accounts. Successful exploitation allows attackers to process webhook events in the context of a different account, achieving integrity impacts such as unauthorized policy bypasses without affecting confidentiality or availability.
Mitigation is addressed in OpenClaw version 2026.2.14 and later, as detailed in the project's GitHub commit (61d59a802869177d9cef52204767cd83357ab79e). Security advisories from GitHub (GHSA-rq6g-px6m-c248) and VulnCheck provide further guidance on the issue and recommend upgrading to patched versions to resolve the routing ambiguity.
Details
- CWE(s)