Skip to main content

Google EUVDEUVD-2026-21104

| CVE-2026-35622 MEDIUM
Authentication Bypass by Spoofing (CWE-290)
2026-04-09 VulnCheck GHSA-hgwr-wr8h-rxm7
6.0
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
6.0 MEDIUM
CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

4
EUVD ID Assigned
Apr 09, 2026 - 21:45 euvd
EUVD-2026-21104
Analysis Generated
Apr 09, 2026 - 21:45 vuln.today
Patch released
Apr 09, 2026 - 21:45 nvd
Patch available
CVE Published
Apr 09, 2026 - 21:26 nvd
MEDIUM 6.0

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 5 npm packages depend on openclaw (5 direct, 0 indirect)

Ecosystem-wide dependent count for version 2026.3.22.

DescriptionCVE.org

OpenClaw before 2026.3.22 contains an improper authentication verification vulnerability in Google Chat app-url webhook handling that accepts add-on principals outside intended deployment bindings. Attackers can bypass webhook authentication by providing non-deployment add-on principals to execute unauthorized actions through the Google Chat integration.

AnalysisAI

OpenClaw before version 2026.3.22 contains an improper authentication verification flaw in its Google Chat webhook handling that allows authenticated attackers with low privileges to bypass webhook authentication by supplying non-deployment add-on principals, enabling unauthorized actions through the Google Chat integration with a CVSS score of 6.0 and confirmed vendor patch availability.

Technical ContextAI

The vulnerability exists in OpenClaw's Google Chat app-url webhook integration, which fails to properly validate that webhook requests originate from add-on principals within intended deployment bindings. The root cause, classified as CWE-290 (Authentication Using a Wrong Actor), stems from insufficient verification of the principal identity before accepting webhook requests. Attackers who have already obtained low-level authenticated access (PR:L per CVSS vector) can exploit this by crafting requests with non-deployment add-on principals that should have been rejected, thereby circumventing the intended security boundary between different deployment contexts within Google Chat's add-on framework.

RemediationAI

Upgrade OpenClaw to version 2026.3.22 or later, which contains the authentication verification fixes. Vendor patches have been committed to the OpenClaw repository as referenced in commit 630f1479c44f78484dfa21bb407cbe6f171dac87 and a47722de7e3c9cbda8d5512747ca7e3bb8f6ee66. Until patching is feasible, restrict Google Chat webhook access to high-privileged accounts only and monitor webhook request logs for suspicious add-on principal usage. Review the security advisory at https://github.com/openclaw/openclaw/security/advisories/GHSA-mp66-rf4f-mhh8 for additional context and https://www.vulncheck.com/advisories/openclaw-improper-authentication-verification-in-google-chat-webhook for technical details.

Share

EUVD-2026-21104 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy