CVE-2026-35635 MEDIUM

CVE-2026-35635: OpenClaw < 2026.3.22 - Webhook Path Route Replacement Vulnerability in Synology Chat

Vendor Openclaw
Product OpenClaw
Weakness CWE-706
Published April 9, 2026
Last update May 25, 2026

CVSS base score

6.3/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

OpenClaw before 2026.3.22 contains a webhook path route replacement vulnerability in the Synology Chat extension that allows attackers to collapse multi-account configurations onto shared webhook paths. Attackers can exploit inherited or duplicate webhook paths to bypass per-account DM access control policies and replace route ownership across accounts.

Key dates

02Disclosure timeline

April 9, 2026 CVE published
May 25, 2026 Record updated