PT-2026-31357 · Npm · Openclaw
Published
2026-03-29
·
Updated
2026-03-29
CVSS v3.1
4.2
Medium
| Vector | AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N |
Summary
Google Chat Authz Bypass via Group Policy Rebinding with Mutable Space displayName
Affected Packages / Versions
- Package:
openclaw - Affected versions:
<= 2026.3.24 - First patched version:
2026.3.25 - Latest published npm version at verification time:
2026.3.24
Details
Google Chat group authorization previously relied on mutable space display names, which allowed policy rebinding when names changed or collided. Commit
11ea1f67863d88b6cbcb229dd368a45e07094bff requires stable group IDs for access decisions.Verified vulnerable on tag
v2026.3.24 and fixed on main by commit 11ea1f67863d88b6cbcb229dd368a45e07094bff.Fix Commit(s)
11ea1f67863d88b6cbcb229dd368a45e07094bff
Fix
IDOR
Incorrect Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Openclaw