Home / Vulnerability Intelligence / CVE-2026-28469

CVE-2026-28469 - Vulnerability Analysis

CriticalCVSS: 9.8

Last Updated: March 5, 2026

OpenClaw - Broken Access Control

Published: March 5, 2026Updated: March 5, 2026Remote Exploitable

Overview

OpenClaw < 2026.2.14 contains a cross-account policy context misrouting vulnerability caused by webhook routing in the Google Chat monitor component, letting attackers bypass allowlists and session policies via first-match request verification, exploit requires multiple webhook targets sharing the same HTTP path.

Severity & Score

Severity: Critical

CVSS Score: 9.8

EPSS Score: 2.6%(Probability of exploitation in next 30 days)

Impact

Attackers can bypass allowlists and session policies, potentially accessing or manipulating webhook events under incorrect account contexts.

Mitigation

Update to version 2026.2.14 or later.

References

Social Media Activity(1 post)

TheHackerWire

@thehackerwire

Mar 6, 2026

🔴 CVE-2026-28469 - Critical (9.8) OpenClaw versions prior to 2026.2.14 contain a webhook routing vulnerability in the Google Chat monitor component that allows cross-account policy context misrouting when multiple webhook targets share the same HTTP path. Attackers can exploit fir... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-28469/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

Details

CVE ID: CVE-2026-28469
Severity: Critical
CVSS Score: 9.8
Type: broken_access_control
Status: new
EPSS: 2.6%
Social Posts: 1

CWE

CWE-639

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score

2.6%Probability of exploitation in the next 30 days