GHSA-rq6g-px6m-c248: OpenClaw Google Chat shared-path webhook target ambiguity allowed cross-account policy-context misrouting

February 18, 2026

When multiple Google Chat webhook targets are registered on the same HTTP path, and request verification succeeds for more than one target, inbound webhook events could be routed by first-match semantics. This can cause cross-account policy/context misrouting.

References

github.com/advisories/GHSA-rq6g-px6m-c248
github.com/openclaw/openclaw
github.com/openclaw/openclaw/commit/61d59a802869177d9cef52204767cd83357ab79e
github.com/openclaw/openclaw/releases/tag/v2026.2.14
github.com/openclaw/openclaw/security/advisories/GHSA-rq6g-px6m-c248

Code Behaviors & Features

Detect and mitigate GHSA-rq6g-px6m-c248 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →