GHSA-chm2-m3w2-wcxm: OpenClaw Google Chat spoofing access with allowlist authorized mutable email principal despite sender-ID mismatch
Google Chat allowlisting supports matching by sender email in addition to immutable sender resource name (users/<id>). This weakens identity binding if a deployment assumes allowlists are strictly keyed by immutable principals.
References
- github.com/advisories/GHSA-chm2-m3w2-wcxm
- github.com/openclaw/openclaw
- github.com/openclaw/openclaw/commit/c8424bf29a921e25663b29f308640b3d91a49432
- github.com/openclaw/openclaw/pull/16243
- github.com/openclaw/openclaw/releases/tag/v2026.2.14
- github.com/openclaw/openclaw/security/advisories/GHSA-chm2-m3w2-wcxm
Code Behaviors & Features
Detect and mitigate GHSA-chm2-m3w2-wcxm with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →