Skip to main content

Google EUVDEUVD-2026-21101

| CVE-2026-35617 LOW
Reliance on Untrusted Inputs in a Security Decision (CWE-807)
2026-04-09 VulnCheck
2.3
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
2.3 LOW
CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

4
EUVD ID Assigned
Apr 09, 2026 - 21:45 euvd
EUVD-2026-21101
Analysis Generated
Apr 09, 2026 - 21:45 vuln.today
Patch released
Apr 09, 2026 - 21:45 nvd
Patch available
CVE Published
Apr 09, 2026 - 21:26 nvd
LOW 2.3

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 3 npm packages depend on openclaw (3 direct, 0 indirect)

Ecosystem-wide dependent count for version 2026.3.28.

DescriptionCVE.org

OpenClaw before 2026.3.25 contains an authorization bypass vulnerability in Google Chat group policy enforcement that relies on mutable space display names. Attackers can rebind group policies by changing or colliding space display names to gain unauthorized access to protected resources.

AnalysisAI

OpenClaw before version 2026.3.25 contains an authorization bypass vulnerability in Google Chat group policy enforcement where attackers with authenticated access can manipulate space display names to rebind group policies and gain unauthorized access to protected resources. The vulnerability requires authenticated access and high attack complexity but affects confidentiality and integrity of protected data. A vendor patch has been released.

Technical ContextAI

The vulnerability resides in OpenClaw's implementation of Google Chat group policy enforcement mechanisms (CWE-807: Reliance on Untrusted Inputs in a Security Decision). The root cause is the use of mutable space display names as a security-relevant identifier for binding and enforcing group policies. When display names are used as policy anchors without proper immutable validation or cryptographic binding, attackers can manipulate these attributes through legitimate space modification operations. This allows policy rebinding attacks where an attacker can either change a display name to match a target space (collision) or rename their own space to match a protected resource's display name, causing policy enforcement logic to incorrectly apply or transfer access controls. The affected product is OpenClaw (CPE: cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:*:*:*) in all versions prior to 2026.3.25.

RemediationAI

Vendor-released patch: upgrade to OpenClaw version 2026.3.25 or later. The upstream fix is available at the commit referenced (11ea1f67863d88b6cbcb229dd368a45e07094bff) in the OpenClaw GitHub repository. Organizations unable to upgrade immediately should audit existing group policy configurations for suspicious display name changes or collisions, implement monitoring on space display name modifications, and restrict policy modification permissions to trusted administrators. Consult the official security advisory at https://github.com/openclaw/openclaw/security/advisories/GHSA-52q4-3xjc-6778 for detailed guidance.

Share

EUVD-2026-21101 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy