CVE-2026-35635

MEDIUM

OpenClaw < 2026.3.22 - Webhook Path Route Replacement Vulnerability in Synology Chat

Title source: cna

Description

OpenClaw before 2026.3.22 contains a webhook path route replacement vulnerability in the Synology Chat extension that allows attackers to collapse multi-account configurations onto shared webhook paths. Attackers can exploit inherited or duplicate webhook paths to bypass per-account DM access control policies and replace route ownership across accounts.

References (4)

Scores

CVSS v3 4.8
EPSS 0.0004
EPSS Percentile 11.6%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

Details

CWE
CWE-706 CWE-863
Status published
Products (4)
npm/openclaw 0 - 2026.3.22npm
OpenClaw/OpenClaw < 2026.3.22
openclaw/openclaw < 2026.3.22
OpenClaw/OpenClaw 2026.3.22
Published Apr 09, 2026
Tracked Since Apr 10, 2026