CVE-2026-35617

MEDIUM

OpenClaw < 2026.3.25 - Authorization Bypass via Group Policy Rebinding with Mutable Space displayName

Title source: cna

Description

OpenClaw before 2026.3.25 contains an authorization bypass vulnerability in Google Chat group policy enforcement that relies on mutable space display names. Attackers can rebind group policies by changing or colliding space display names to gain unauthorized access to protected resources.

References (3)

[Third Party Advisory] https://github.com/openclaw/openclaw/security/advisories/GHSA-52q4-3xjc-6778

[Patch] https://github.com/openclaw/openclaw/commit/11ea1f67863d88b6cbcb229dd368a45e07094bff

View Patch ZIP pw:eip

[Third Party Advisory] https://www.vulncheck.com/advisories/openclaw-authorization-bypass-via-group-policy-rebinding-with-mutable-space-displayname

Scores

CVSS v3 4.2

EPSS 0.0006

EPSS Percentile 17.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N

Details

CWE

CWE-807

Status published

Products (4)

npm/openclaw 0 - 2026.3.28npm

OpenClaw/OpenClaw < 2026.3.25

openclaw/openclaw < 2026.3.25

OpenClaw/OpenClaw 2026.3.25

Published Apr 09, 2026

Tracked Since Apr 10, 2026