Google Chat integrations built with the openclaw npm package face a serious authorization bypass vulnerability up to version 2026.3.24. Attackers can rebind group policies by exploiting mutable space display names, granting unauthorized access to protected chats. Developers using openclaw must upgrade to 2026.3.25 or later immediately.
This flaw stems from openclaw’s reliance on changeable display names for authorization decisions, rather than stable group identifiers. In Google Chat, spaces have human-readable display names set by admins—names that anyone with edit permissions can alter. Openclaw versions through 2026.3.24 used these names as the key for policy enforcement, creating a straightforward rebinding attack vector.
Vulnerability Mechanics
Here’s how it works. Google Chat spaces carry immutable IDs like spaces/abc123, but openclaw checked policies against the mutable displayName. An attacker with access to any space could rename it to match a target protected space’s display name. Openclaw then applies the wrong group’s policies, potentially allowing read/write access where none should exist.
Collisions become trivial in large organizations. With thousands of spaces, similar names are inevitable, and admins frequently tweak them for clarity. The advisory confirms vulnerability on tag v2026.3.24; the fix in commit 11ea1f67863d88b6cbcb229dd368a45e07094bff switches to stable group IDs pulled from the Chat API.
Test it yourself if running vulnerable code. Create two spaces: one public (displayName: "team-updates"), one private (displayName: "team-updates" after rename). Openclaw’s authz fails to distinguish them, leaking messages or permitting joins.
Scope and Impact
Openclaw targets Google Chat bots and integrations, common in enterprise workflows for notifications, Slack-like collaboration, and automation. At verification, the latest npm version was 2026.3.24—all installs are exposed. No evidence of widespread exploitation yet, but Google Workspace handles sensitive comms: project updates, HR announcements, even financial data in fintech setups.
Why this matters: Authz bypasses cascade. A compromised integration reads all messages in rebound groups, injects spam, or escalates to API token theft. In regulated sectors like finance or healthcare, this violates compliance—think GDPR data exposure or SOX audit failures. We’ve seen similar issues in Slack apps; displayName reliance is a recurring anti-pattern ignored by rushed devs.
Skeptically, the package’s version scheme (2026.3.24) screams pre-release or internal tooling. npm shows no public openclaw at this scale, suggesting niche or test use. Still, if you’re pulling it, assume enterprise risk. Dependency chains amplify reach—audit your node_modules.
Remediation and Broader Lessons
Upgrade to 2026.3.25 or pull the fix commit directly. Run
npm install openclaw@2026.3.25then verify with
npm ls openclaw. Test post-upgrade: policy checks should now reference space.name IDs, not displayNames.
Beyond patching, audit all Chat integrations. Google Workspace APIs expose space.metadata.name as the anchor—use it. Enable domain-wide delegation sparingly; prefer service accounts scoped to specific spaces. Monitor audit logs for name changes via Admin console.
This exposes sloppy authz in third-party libs. Openclaw’s maintainers fixed it fast, but users bear the brunt. In security, stable identifiers trump mutable labels every time. If your stack touches Google Chat, scan now—npm audit misses logic flaws like this.
Bottom line: One mutable field undid group isolation. Update, then harden. In a world of API sprawl, these oversights cost breaches.
