CVE-2026-28469

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.2.14 clawdbot versions prior to 2026.1.24-3

Description The software contains a webhook routing issue in the Google Chat monitor component. This allows for cross-account policy context misrouting when multiple webhook targets share the same HTTP path. Attackers can exploit first-match request verification semantics to process inbound webhook events under incorrect account contexts, bypassing intended allowlists and session policies. The affected component is extensions/googlechat/src/monitor.ts. The issue arises from allowing multiple webhook targets per path and selecting the first target that passes verifyGoogleChatRequest(...).

Recommendations OpenClaw versions prior to 2026.2.14: Upgrade to version 2026.2.14 or later. clawdbot versions prior to 2026.1.24-3: Migrate to OpenClaw and upgrade to OpenClaw version 2026.2.14 or later. Ensure each Google Chat webhook target uses a unique webhook path to avoid ambiguous routing.