Severity by source
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4Blast Radius
ecosystem impact- 5 npm packages depend on openclaw (5 direct, 0 indirect)
Ecosystem-wide dependent count for version 2026.3.22.
DescriptionCVE.org
OpenClaw before 2026.3.22 contains a webhook path route replacement vulnerability in the Synology Chat extension that allows attackers to collapse multi-account configurations onto shared webhook paths. Attackers can exploit inherited or duplicate webhook paths to bypass per-account DM access control policies and replace route ownership across accounts.
AnalysisAI
OpenClaw before 2026.3.22 contains a webhook path route replacement vulnerability in its Synology Chat extension that allows unauthenticated remote attackers to bypass per-account direct message access controls by collapsing multi-account configurations onto shared webhook paths. Attackers can exploit inherited or duplicate webhook paths to replace route ownership across accounts, potentially gaining unauthorized access to account-specific resources. No public exploit code or active exploitation has been confirmed at the time of analysis.
Technical ContextAI
The vulnerability stems from improper validation of webhook path routing in OpenClaw's Synology Chat extension, classified under CWE-706 (Use of Incorrectly-Resolved Name or Reference). The root cause involves insufficient separation of webhook path namespaces across multi-account configurations, allowing an attacker to manipulate routing logic by providing crafted webhook paths that inherit or duplicate existing paths. This results in route ownership being reassigned across distinct accounts, effectively bypassing access control policies that depend on per-account webhook isolation. The vulnerability affects OpenClaw versions prior to 2026.3.22 as indicated by the CPE specification cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:*:*:*, which covers all versions before the patched release.
RemediationAI
Vendor-released patch: Upgrade OpenClaw to version 2026.3.22 or later. The fix is available in the upstream repository with commits referenced at https://github.com/openclaw/openclaw/commit/630f1479c44f78484dfa21bb407cbe6f171dac87 and https://github.com/openclaw/openclaw/commit/980940aa58f862da4e19372597bbc2a9f268d70b. For additional context and technical details about the vulnerability, consult the security advisory at https://github.com/openclaw/openclaw/security/advisories/GHSA-rqp8-q22p-5j9q and the VulnCheck advisory at https://www.vulncheck.com/advisories/openclaw-webhook-path-route-replacement-vulnerability-in-synology-chat. Until patching is possible, organizations should review and audit their webhook path configurations to identify and isolate any duplicate or inherited paths across multi-account setups.
webman/imageSelector.cgi in Synology DiskStation Manager (DSM) 4.0 before 4.0-2259, 4.2 before 4.2-3243, and 4.3 before
Command injection vulnerability in smart.cgi in Synology DiskStation Manager (DSM) before 5.2-5967-5 allows remote authe
An information exposure vulnerability in forget_passwd.cgi in Synology DiskStation Manager (DSM) before 6.1.3-15152 allo
Synology Video Station before 1.5-0763 allows remote attackers to execute arbitrary shell commands via shell metacharact
Multiple directory traversal vulnerabilities in the FileBrowser components in Synology DiskStation Manager (DSM) before
An information exposure vulnerability in index.php in Synology Photo Station before 6.7.3-3432 and 6.3-2967 allows remot
Deserialization vulnerability in synophoto_csPhotoMisc.php in Synology Photo Station before 6.7.3-3432 and 6.3-2967 allo
A vulnerability in synotheme_upload.php in Synology Photo Station before 6.7.3-3432 and 6.3-2967 allows remote attackers
Command injection vulnerability in login.php in Synology Photo Station before 6.5.3-3226 allows remote attackers to exec
Directory traversal vulnerability in PixlrEditorHandler.php in Synology Photo Station before 6.7.3-3432 and 6.3-2967 all
Improper access control vulnerability in Synology Router Manager (SRM) before 1.2.4-8081 allows remote attackers to acce
Improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerability in Task Manager
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-21126
GHSA-g8mc-c5f2-mqg7