PT-2026-30543 · Npm · Openclaw
Published
2026-03-26
·
Updated
2026-03-26
CVSS v4.0
6.9
Medium
| Vector | AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N |
Summary
Synology Chat multi-account configuration could collapse onto a shared webhook path, replacing route ownership and bypassing per-account DM policy separation.
Affected Packages / Versions
- Package:
openclaw(npm) - Affected: < 2026.3.22
- Fixed: >= 2026.3.22
- Latest released tag checked:
v2026.3.23-2(630f1479c44f78484dfa21bb407cbe6f171dac87) - Latest published npm version checked:
2026.3.23-2
Fix Commit(s)
980940aa58f862da4e19372597bbc2a9f268d70b
Release Status
The fix shipped in
v2026.3.22 and remains present in v2026.3.23 and v2026.3.23-2.Code-Level Confirmation
- extensions/synology-chat/src/accounts.ts now distinguishes inherited base webhook paths from explicit per-account paths.
- extensions/synology-chat/src/gateway-runtime.ts now fails closed on inherited or duplicate webhook paths and registers routes without replacement.
OpenClaw thanks @tdjackey for reporting.
Fix
Improper Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Openclaw