CVE-2026-35617

OpenClaw < 2026.3.25 - Authorization Bypass via Group Policy Rebinding with Mutable Space displayName

CVSS 2.3 LOWEPSS 0.2%CWE-807

Vexday Risk Score

8Baixo

Decisão SSVC (CISA)

Track

Sem sinal de exploração → monitorar

CVSS 2.3EPSS 0.2%KEV nãoPoC —Nuclei —Metasploit —Patch referenciado

Ciclo de vida

09 abr 2026Publicada no NVD

Recomendação: Monitorar — sem sinal de exploração no momento.

OpenClaw before 2026.3.25 contains an authorization bypass vulnerability in Google Chat group policy enforcement that relies on mutable space display names. Attackers can rebind group policies by changing or colliding space display names to gain unauthorized access to protected resources.

CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Produtos afetados

OpenClaw · OpenClaw

Quer saber se a sua infraestrutura está exposta a isto?

Falar com a TrueHacking →

Referências

https://github.com/openclaw/openclaw/commit/11ea1f67863d88b6cbcb229dd368a45e07094bff https://github.com/openclaw/openclaw/security/advisories/GHSA-52q4-3xjc-6778 https://www.vulncheck.com/advisories/openclaw-authorization-bypass-via-group-policy-rebinding-with-mutable-space-displayname