GHSA-52Q4-3XJC-6778: Authorization Bypass via Mutable Metadata in OpenClaw Google Chat Integration

The openclaw npm package provides an AI agent framework with various platform integrations. The Google Chat extension implements authorization logic to restrict specific agent capabilities to designated chat spaces. Vulnerable versions of this extension suffer from an authorization bypass flaw due to improper reliance on mutable metadata for access control.

This vulnerability is classified under CWE-863 (Incorrect Authorization) and CWE-639 (Authorization Bypass Through User-Controlled Key). The defect resides in the policy resolution routing logic which maps incoming chat messages to configured permission models. By exploiting this mechanism, unauthorized users achieve privilege escalation within the context of the AI agent's operational permissions.

The core issue stems from using the Google Chat space displayName as a primary key for security policy enforcement. Administrators frequently map privileged agent tools to human-readable room names rather than immutable identifiers. Attackers exploit this by instantiating a new space and applying the targeted name, thus inheriting the associated authorization profile.

The root cause is located in the resolveGroupConfig function within the extensions/googlechat/src/monitor-access.ts file. This component evaluates incoming webhook payloads from Google Chat to determine the appropriate authorization tier for the request. The function constructs a list of lookup candidates based on the message metadata.

In versions prior to 2026.3.25, the candidate array prioritized the immutable groupId but subsequently fell back to the mutable groupName and a normalized representation of the groupName. The system then executed a mapping lookup against the configured policy definitions. If the administrator configured the bot using a human-readable room name, the lookup succeeded based entirely on user-controlled metadata.

Because any Google Chat user with management permissions can arbitrarily modify the displayName of a space they control, the groupName variable is completely untrusted. The application incorrectly elevated this untrusted string to an authoritative policy key. This architectural flaw broke the fundamental security boundary between distinct chat spaces.

The vulnerable implementation constructed an array of lookup keys and evaluated them sequentially. The application used the find(Boolean) method to select the first matching policy configuration based on the provided candidates.

// Vulnerable implementation in monitor-access.ts
const candidates = [groupId, groupName ?? "", normalizedName ?? ""].filter(Boolean);
let entry = candidates.map((candidate) => entries[candidate]).find(Boolean);

The patch introduced in commit 11ea1f67863d88b6cbcb229dd368a45e07094bff fundamentally alters this trust model. The revised logic strictly enforces the use of the immutable groupId for policy resolution. The application now explicitly evaluates whether a match would have occurred using the legacy, mutable groupName variables.

// Patched implementation in monitor-access.ts
const entry = entries[groupId]; // Use stable ID only
const deprecatedNameMatch = !entry && Boolean(
  groupName && keys.some((key) => {
    return trimmed === groupName || trimmed.toLowerCase() === normalizedGroupName;
  })
);

When a deprecatedNameMatch is detected, the application explicitly nullifies the resolved entry and flags the request. The downstream message handler evaluates this flag and drops the incoming payload. Furthermore, this logic explicitly prevents the system from falling back to a global wildcard policy if an invalid legacy name is utilized.

Exploitation requires the attacker to possess basic interaction access with the OpenClaw agent and the ability to create new Google Chat spaces. The attacker begins by enumerating or inferring the target organization's privileged group names. Common naming conventions or leaked bot configurations often reveal these identifiers.

The attacker provisions a new Google Chat space and grants themselves administrative control over the space settings. They then invoke the renaming function to alter the displayName to match the targeted privileged group. Once the space is renamed, the attacker invites the OpenClaw agent into the compromised environment.

The attacker subsequently issues a privileged command to the agent. The webhook payload dispatched to the OpenClaw backend includes the attacker-controlled groupName. The vulnerable routing logic matches this string against the administrative policy and grants the requested access, resulting in arbitrary execution of the agent's restricted toolset.

The primary impact is unauthorized access to the functionality and data exposed by the OpenClaw AI agent. Because AI agents frequently integrate with backend infrastructure, databases, and continuous integration pipelines, the scope of the impact mirrors the permissions granted to the agent itself.

An attacker successfully exploiting this vulnerability executes actions under the authorization context of the targeted high-privilege group. If the agent possesses read access to financial records or write access to source code repositories, the attacker gains identical capabilities. The bypass renders all platform-side access controls ineffective.

The vulnerability scores an 8.1 on the CVSS v3 framework based on patch analysis. The attack vector is network-based, requires low privileges, and does not require user interaction from a victim. The impact on confidentiality and integrity is high, contingent upon the specific tools integrated into the OpenClaw deployment.

Organizations utilizing the OpenClaw framework must upgrade the openclaw npm package to version 2026.3.25 or later. This release enforces strict validation of the immutable groupId parameter and implements a fail-closed mechanism for legacy configuration attempts.

Administrators must proactively audit and update their channels.googlechat.groups configuration file. All human-readable room names must be replaced with the corresponding immutable Space IDs. These identifiers utilize the format spaces/XXXXXXXX and remain static regardless of user-initiated metadata changes.

Security teams can detect exploitation attempts by monitoring application logs. Patched versions of OpenClaw emit specific warnings when legacy routing matches occur. Search for the log entry Deprecated Google Chat group key detected: group routing now requires stable space ids or drop group message (deprecated mutable group key matched) to identify in-progress attacks or misconfigured environments.