Severity by source
CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4Blast Radius
ecosystem impact- 5 npm packages depend on openclaw (5 direct, 0 indirect)
Ecosystem-wide dependent count for version 2026.3.22.
DescriptionCVE.org
OpenClaw before 2026.3.22 contains a webhook reply delivery vulnerability that allows attackers to rebind chat replies to unintended users by exploiting mutable username matching instead of stable numeric user identifiers. Attackers can manipulate username changes to redirect webhook-triggered replies to different users, bypassing the intended recipient binding recorded in webhook events.
AnalysisAI
OpenClaw before version 2026.3.22 allows authenticated attackers to redirect webhook-triggered chat replies to unintended users by exploiting username-based recipient binding instead of stable numeric identifiers. An attacker with valid credentials can manipulate username changes to rebind webhook replies intended for one user to a different user, compromising message confidentiality and integrity. No public exploit code or active CISA exploitation data is available, but the vulnerability is confirmed patched by the vendor.
Technical ContextAI
The vulnerability exploits a fundamental design flaw in OpenClaw's webhook reply delivery mechanism. Rather than using immutable numeric user identifiers to bind webhook events to their intended recipients, the system relies on usernames-which are mutable and can be changed by users or administrators. When a webhook event is triggered (e.g., an external system replies to a chat message), the system attempts to deliver that reply to the user specified by the webhook metadata. However, if the webhook metadata contains a username instead of a stable user ID, an attacker can change their own username or manipulate username resolution to match the target user's name at delivery time, causing the reply to be routed to the attacker instead of the intended recipient. This is rooted in CWE-807 (Reliance on Untrusted Inputs in a Security Decision), where mutable user attributes are incorrectly trusted for security-critical operations. The affected OpenClaw product is a chat integration system (often deployed via Synology Chat), and this vulnerability specifically impacts the webhook integration subsystem that bridges external services with internal chat delivery.
RemediationAI
Upgrade OpenClaw to version 2026.3.22 or later. The vendor has released a patched version addressing the username-based recipient binding flaw; two upstream commits (630f1479c44f78484dfa21bb407cbe6f171dac87 and 7ade3553b74ee3f461c4acd216653d5ba411f455) implement the fix, moving the system to stable numeric user identifiers for webhook recipient binding. Organizations unable to upgrade immediately should review webhook integration configurations and restrict webhook permissions to trusted external services only. Consult the OpenClaw GitHub security advisory at https://github.com/openclaw/openclaw/security/advisories/GHSA-wv46-v6xc-2qhf and the VulnCheck advisory at https://www.vulncheck.com/advisories/openclaw-webhook-reply-rebinding-via-username-resolution-in-synology-chat for additional mitigation guidance.
Auth bypass in OpenClaw voice-call extension before 2026.2.1. EPSS 0.68%. PoC and patch available.
Privilege escalation in OpenClaw (pre-2026.3.28) allows unauthenticated remote attackers to gain administrative access b
OpenClaw versions 2026.2.22 through 2026.2.24 contain a privilege escalation vulnerability that allows authenticated att
An authorization mismatch vulnerability in OpenClaw versions prior to 2026.3.1 allows authenticated users with operator.
OpenClaw versions prior to 2026.1.29 automatically establish WebSocket connections to attacker-controlled gateway URLs e
Path traversal in OpenClaw through version 2026.3.23 enables unauthenticated remote attackers to read arbitrary files in
OpenClaw sandbox browser functionality launches x11vnc for noVNC observer sessions without requiring authentication, all
OpenClaw versions before 2026.2.26 allow authenticated attackers to write arbitrary files outside the workspace director
OpenClaw versions prior to 2026.2.22 contain a shell environment variable injection vulnerability in the system.run func
OpenClaw versions prior to 2026.2.22 contain a resource exhaustion vulnerability where the application fails to consiste
OpenClaw versions prior to 2026.3.1 contain a sandbox escape vulnerability that allows authenticated attackers with low
OpenClaw versions 2026.1.30 and below fail to validate Telegram webhook secret tokens when `channels.telegram.webhookSec
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-21486