GET

Vulnerability Instance

Lookup for vulnerabilities affecting packages.

GET /api/vulnerabilities/50193?format=api
HTTP 200 OK
Allow: GET, HEAD, OPTIONS
Content-Type: application/json
Vary: Accept

{
    "url": "http://public2.vulnerablecode.io/api/vulnerabilities/50193?format=api",
    "vulnerability_id": "VCID-jekq-y7ju-hfdc",
    "summary": "OpenClaw Google Chat shared-path webhook target ambiguity allowed cross-account policy-context misrouting\nWhen multiple Google Chat webhook targets are registered on the same HTTP path, and request verification succeeds for more than one target, inbound webhook events could be routed by first-match semantics. This can cause cross-account policy/context misrouting.",
    "aliases": [
        {
            "alias": "CVE-2026-28469"
        },
        {
            "alias": "GHSA-rq6g-px6m-c248"
        }
    ],
    "fixed_packages": [
        {
            "url": "http://public2.vulnerablecode.io/api/packages/74053?format=api",
            "purl": "pkg:npm/openclaw@2026.2.14",
            "is_vulnerable": false,
            "affected_by_vulnerabilities": [],
            "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.2.14"
        }
    ],
    "affected_packages": [
        {
            "url": "http://public2.vulnerablecode.io/api/packages/74091?format=api",
            "purl": "pkg:npm/clawdbot@2026.1.24-3",
            "is_vulnerable": true,
            "affected_by_vulnerabilities": [
                {
                    "vulnerability": "VCID-3m66-j8ru-gkhq"
                },
                {
                    "vulnerability": "VCID-6xkm-ym55-2yfp"
                },
                {
                    "vulnerability": "VCID-73gk-ecqv-tyej"
                },
                {
                    "vulnerability": "VCID-8bxj-nx1j-efc9"
                },
                {
                    "vulnerability": "VCID-ack4-vu5k-muaj"
                },
                {
                    "vulnerability": "VCID-jekq-y7ju-hfdc"
                },
                {
                    "vulnerability": "VCID-nu42-52us-v7gp"
                }
            ],
            "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/clawdbot@2026.1.24-3"
        }
    ],
    "references": [
        {
            "reference_url": "https://github.com/openclaw/openclaw",
            "reference_id": "",
            "reference_type": "",
            "scores": [],
            "url": "https://github.com/openclaw/openclaw"
        },
        {
            "reference_url": "https://github.com/openclaw/openclaw/commit/61d59a802869177d9cef52204767cd83357ab79e",
            "reference_id": "",
            "reference_type": "",
            "scores": [],
            "url": "https://github.com/openclaw/openclaw/commit/61d59a802869177d9cef52204767cd83357ab79e"
        },
        {
            "reference_url": "https://github.com/openclaw/openclaw/releases/tag/v2026.2.14",
            "reference_id": "",
            "reference_type": "",
            "scores": [],
            "url": "https://github.com/openclaw/openclaw/releases/tag/v2026.2.14"
        },
        {
            "reference_url": "https://www.vulncheck.com/advisories/openclaw-cross-account-policy-context-misrouting-via-shared-webhook-path-ambiguity",
            "reference_id": "",
            "reference_type": "",
            "scores": [],
            "url": "https://www.vulncheck.com/advisories/openclaw-cross-account-policy-context-misrouting-via-shared-webhook-path-ambiguity"
        },
        {
            "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28469",
            "reference_id": "CVE-2026-28469",
            "reference_type": "",
            "scores": [],
            "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28469"
        },
        {
            "reference_url": "https://github.com/advisories/GHSA-rq6g-px6m-c248",
            "reference_id": "GHSA-rq6g-px6m-c248",
            "reference_type": "",
            "scores": [],
            "url": "https://github.com/advisories/GHSA-rq6g-px6m-c248"
        },
        {
            "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-rq6g-px6m-c248",
            "reference_id": "GHSA-rq6g-px6m-c248",
            "reference_type": "",
            "scores": [],
            "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-rq6g-px6m-c248"
        }
    ],
    "weaknesses": [
        {
            "cwe_id": 284,
            "name": "Improper Access Control",
            "description": "The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor."
        },
        {
            "cwe_id": 639,
            "name": "Authorization Bypass Through User-Controlled Key",
            "description": "The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data."
        },
        {
            "cwe_id": 937,
            "name": "OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities",
            "description": "Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013."
        },
        {
            "cwe_id": 1035,
            "name": "OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities",
            "description": "Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017."
        }
    ],
    "exploits": [],
    "severity_range_score": null,
    "exploitability": null,
    "weighted_severity": null,
    "risk_score": null,
    "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-jekq-y7ju-hfdc"
}