CVE-2026-35635

OpenClaw before 2026.3.22 contains a webhook path route replacement vulnerability in the Synology Chat extension that allows attackers to collapse multi-account configurations onto shared webhook paths. Attackers can exploit inherited or duplicate webhook paths to bypass per-account DM access control policies and replace route ownership across accounts.

CVSS v3 4.8 MEDIUM

4.8^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.2 / Impact : 2.5

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/openclaw/openclaw/commit/630f1479c44f78484dfa21bb407cbe6f171dac87	Patch
https://github.com/openclaw/openclaw/commit/980940aa58f862da4e19372597bbc2a9f268d70b	Patch
https://github.com/openclaw/openclaw/security/advisories/GHSA-rqp8-q22p-5j9q	Vendor Advisory
https://www.vulncheck.com/advisories/openclaw-webhook-path-route-replacement-vulnerability-in-synology-chat	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*

History

15 Apr 2026, 17:00

Type	Values Removed	Values Added
References	~~() https://github.com/openclaw/openclaw/commit/630f1479c44f78484dfa21bb407cbe6f171dac87 -~~	() https://github.com/openclaw/openclaw/commit/630f1479c44f78484dfa21bb407cbe6f171dac87 - Patch
References	~~() https://github.com/openclaw/openclaw/commit/980940aa58f862da4e19372597bbc2a9f268d70b -~~	() https://github.com/openclaw/openclaw/commit/980940aa58f862da4e19372597bbc2a9f268d70b - Patch
References	~~() https://github.com/openclaw/openclaw/security/advisories/GHSA-rqp8-q22p-5j9q -~~	() https://github.com/openclaw/openclaw/security/advisories/GHSA-rqp8-q22p-5j9q - Vendor Advisory
References	~~() https://www.vulncheck.com/advisories/openclaw-webhook-path-route-replacement-vulnerability-in-synology-chat -~~	() https://www.vulncheck.com/advisories/openclaw-webhook-path-route-replacement-vulnerability-in-synology-chat - Third Party Advisory
First Time		Openclaw openclaw Openclaw
CWE		CWE-863
CPE		cpe:2.3:a:openclaw:openclaw::::::node.js::*

09 Apr 2026, 22:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-04-09 22:16

Updated : 2026-04-15 17:00

NVD link : CVE-2026-35635

Mitre link : CVE-2026-35635

CVE.ORG link : CVE-2026-35635

JSON object : View

Products Affected

openclaw

openclaw

CWE

CWE-706

Use of Incorrectly-Resolved Name or Reference

CWE-863

Incorrect Authorization

4.8 /10