GHSA-CHM2-M3W2-WCXM
Vulnerability from github – Published: 2026-02-17 22:56 – Updated: 2026-02-17 22:56Summary
Google Chat allowlisting supports matching by sender email in addition to immutable sender resource name (users/<id>). This weakens identity binding if a deployment assumes allowlists are strictly keyed by immutable principals.
Affected Packages / Versions
(As of 2026-02-14; based on latest published npm versions)
- openclaw (npm): <= 2026.2.13
- clawdbot (npm): <= 2026.1.24-3
Details
Affected component:
- extensions/googlechat/src/monitor.ts
The allowFrom checks accept:
- Immutable sender id (users/<id>)
- Raw email (alice@example.com) for usability
Historically, users/<email> was also treated as an email allowlist entry. This is now deprecated because it looks like an immutable ID but is actually a mutable principal.
Security Triage (2026-02-14)
Severity: Low
Rationale:
- Requests are authenticated as coming from Google Chat (token verification), so this is not a generic unauthenticated spoofing vector.
- A realistic exploit generally requires Google Workspace / IdP administrative control over identity lifecycle (e.g. reassigning an email address to a different underlying account) to obtain the same email with a different users/<id>.
- With that level of access, the attacker typically has broader compromise paths.
We still treat it as a valid defense-in-depth report because accepting mutable principals in authorization decisions can increase risk in chained-failure scenarios.
Remediation / Behavior Changes
Goal: preserve usability while reducing footguns.
- Raw email allowlists remain supported.
- users/<email> is deprecated and treated as a user id, not as an email allowlist.
- Documentation recommends users/<id> when strict immutable binding is required.
Fix Commit(s)
c8424bf29a921e25663b29f308640b3d91a49432(PR #16243)
Thanks @vincentkoc for reporting.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "openclaw"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2026.2.14"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "clawdbot"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "2026.1.24-3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-290",
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2026-02-17T22:56:39Z",
"nvd_published_at": null,
"severity": "LOW"
},
"details": "### Summary\nGoogle Chat allowlisting supports matching by sender email in addition to immutable sender resource name (`users/\u003cid\u003e`). This weakens identity binding if a deployment assumes allowlists are strictly keyed by immutable principals.\n\n### Affected Packages / Versions\n(As of 2026-02-14; based on latest published npm versions)\n- `openclaw` (npm): `\u003c= 2026.2.13`\n- `clawdbot` (npm): `\u003c= 2026.1.24-3`\n\n### Details\nAffected component:\n- `extensions/googlechat/src/monitor.ts`\n\nThe `allowFrom` checks accept:\n- Immutable sender id (`users/\u003cid\u003e`)\n- Raw email (`alice@example.com`) for usability\n\nHistorically, `users/\u003cemail\u003e` was also treated as an email allowlist entry. This is now deprecated because it looks like an immutable ID but is actually a mutable principal.\n\n### Security Triage (2026-02-14)\nSeverity: **Low**\n\nRationale:\n- Requests are authenticated as coming from Google Chat (token verification), so this is not a generic unauthenticated spoofing vector.\n- A realistic exploit generally requires **Google Workspace / IdP administrative control** over identity lifecycle (e.g. reassigning an email address to a different underlying account) to obtain the same email with a different `users/\u003cid\u003e`.\n- With that level of access, the attacker typically has broader compromise paths.\n\nWe still treat it as a valid defense-in-depth report because accepting mutable principals in authorization decisions can increase risk in chained-failure scenarios.\n\n### Remediation / Behavior Changes\nGoal: preserve usability while reducing footguns.\n- Raw email allowlists remain supported.\n- `users/\u003cemail\u003e` is deprecated and treated as a **user id**, not as an email allowlist.\n- Documentation recommends `users/\u003cid\u003e` when strict immutable binding is required.\n\n### Fix Commit(s)\n- `c8424bf29a921e25663b29f308640b3d91a49432` (PR #16243)\n\nThanks @vincentkoc for reporting.",
"id": "GHSA-chm2-m3w2-wcxm",
"modified": "2026-02-17T22:56:39Z",
"published": "2026-02-17T22:56:39Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-chm2-m3w2-wcxm"
},
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/pull/16243"
},
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/commit/c8424bf29a921e25663b29f308640b3d91a49432"
},
{
"type": "PACKAGE",
"url": "https://github.com/openclaw/openclaw"
},
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/releases/tag/v2026.2.14"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "OpenClaw Google Chat spoofing access with allowlist authorized mutable email principal despite sender-ID mismatch"
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.