GHSA-52q4-3xjc-6778
OpenClaw: Google Chat Authz Bypass via Group Policy Rebinding with Mutable Space displayName
Details
## Summary
Google Chat Authz Bypass via Group Policy Rebinding with Mutable Space displayName
## Affected Packages / Versions
- Package: `openclaw` - Affected versions: `<= 2026.3.24` - First patched version: `2026.3.25` - Latest published npm version at verification time: `2026.3.24`
## Details
Google Chat group authorization previously relied on mutable space display names, which allowed policy rebinding when names changed or collided. Commit `11ea1f67863d88b6cbcb229dd368a45e07094bff` requires stable group IDs for access decisions.
Verified vulnerable on tag `v2026.3.24` and fixed on `main` by commit `11ea1f67863d88b6cbcb229dd368a45e07094bff`.
## Fix Commit(s)
- `11ea1f67863d88b6cbcb229dd368a45e07094bff`
Are you affected?
Enter the version of the package you're using.
Affected packages
References
- https://github.com/openclaw/openclaw/security/advisories/GHSA-52q4-3xjc-6778 [WEB]
- https://nvd.nist.gov/vuln/detail/CVE-2026-35617 [ADVISORY]
- https://github.com/openclaw/openclaw/commit/11ea1f67863d88b6cbcb229dd368a45e07094bff [WEB]
- https://github.com/openclaw/openclaw [PACKAGE]
- https://www.vulncheck.com/advisories/openclaw-authorization-bypass-via-group-policy-rebinding-with-mutable-space-displayname [WEB]