When multiple Google Chat webhook targets are registered on the same HTTP path, and request verification succeeds for more than one target, inbound webhook events could be routed by first-match semantics. This can cause cross-account policy/context misrouting.

Affected component: extensions/googlechat/src/monitor.ts.

Baseline behavior allowed multiple webhook targets per path and selected the first target that passed verifyGoogleChatRequest(...). In shared-path deployments where multiple targets can verify successfully (for example, equivalent audience validation), inbound events could be processed under the wrong account context (wrong allowlist/session/policy).

clawdbot is a legacy/deprecated package name; no patched version is currently planned. Migrate to openclaw and upgrade to openclaw >= 2026.2.14.

Ensure each Google Chat webhook target uses a unique webhook path so routing is never ambiguous.

The advisory is pre-populated with the planned patched version. After the npm release is published, the remaining action should be to publish the advisory.

Thanks @vincentkoc for reporting.

Fix commit 61d59a802869177d9cef52204767cd83357ab79e confirmed on main and in v2026.2.14. Upgrade to openclaw >= 2026.2.14.