Lucene search
K

24 matches found

EUVD
EUVD
β€’added 2026/05/11 6:31 p.m.β€’11 views

EUVD-2026-29158

A vulnerability was detected in OpenClaw up to 2026.1.24. The impacted element is the function handleBlueBubblesWebhookRequest of the file extensions/bluebubbles/src/monitor.ts of the component bluebubbles Webhook. Performing a manipulation results in improper authentication. It is possible to...

7.5CVSS6.8AI score0.00636EPSS
Exploits1References10
NVD
NVD
β€’added 2026/05/11 6:16 p.m.β€’17 views

CVE-2026-8305

A vulnerability was detected in OpenClaw up to 2026.1.24. The impacted element is the function handleBlueBubblesWebhookRequest of the file extensions/bluebubbles/src/monitor.ts of the component bluebubbles Webhook. Performing a manipulation results in improper authentication. It is possible to...

9.8CVSS0.00636EPSS
Exploits1References9
Snyk
Snyk
β€’added 2026/05/11 6:11 p.m.β€’7 views

Improper Authentication

Overview @openclaw/bluebubbles is an OpenClaw BlueBubbles channel plugin Affected versions of this package are vulnerable to Improper Authentication via the handleBlueBubblesWebhookRequest function. An attacker can gain unauthorized access and potentially compromise confidentiality, integrity, an...

9.8CVSS7.1AI score0.00636EPSS
Exploits1References2
Snyk
Snyk
β€’added 2026/05/11 6:11 p.m.β€’9 views

Improper Authentication

Overview openclaw is a 🦞 OpenClaw β€” Personal AI Assistant Affected versions of this package are vulnerable to Improper Authentication via the handleBlueBubblesWebhookRequest function. An attacker can gain unauthorized access and potentially compromise confidentiality, integrity, and availability ...

9.8CVSS7.1AI score0.00636EPSS
Exploits1References2
ATTACKERKB
ATTACKERKB
β€’added 2026/05/11 4:30 p.m.β€’6 views

CVE-2026-8305

A vulnerability was detected in OpenClaw up to 2026.1.24. The impacted element is the function handleBlueBubblesWebhookRequest of the file extensions/bluebubbles/src/monitor.ts of the component bluebubbles Webhook. Performing a manipulation results in improper authentication. It is possible to...

7.5CVSS6.8AI score0.00636EPSS
Exploits1References9
Vulnrichment
Vulnrichment
β€’added 2026/05/11 4:30 p.m.β€’7 views

CVE-2026-8305 OpenClaw bluebubbles Webhook monitor.ts handleBlueBubblesWebhookRequest improper authentication

A vulnerability was detected in OpenClaw up to 2026.1.24. The impacted element is the function handleBlueBubblesWebhookRequest of the file extensions/bluebubbles/src/monitor.ts of the component bluebubbles Webhook. Performing a manipulation results in improper authentication. It is possible to...

7.5CVSS6.8AI score0.00636EPSS
Exploits1References9
Cvelist
Cvelist
β€’added 2026/05/11 4:30 p.m.β€’36 views

CVE-2026-8305 OpenClaw bluebubbles Webhook monitor.ts handleBlueBubblesWebhookRequest improper authentication

A vulnerability was detected in OpenClaw up to 2026.1.24. The impacted element is the function handleBlueBubblesWebhookRequest of the file extensions/bluebubbles/src/monitor.ts of the component bluebubbles Webhook. Performing a manipulation results in improper authentication. It is possible to...

7.5CVSS0.00636EPSS
Exploits1References9
CVE
CVE
β€’added 2026/05/11 4:30 p.m.β€’17 views

CVE-2026-8305

The CVE refers to OpenClaw (bluebubbles Webhook) with the vulnerable element in extensions/bluebubbles/src/monitor.ts, function handleBlueBubblesWebhookRequest. The issue is improper authentication allowing remote initiation. It affects builds up to 2026.1.24; upgrading to version 2026.2.12 fixes...

9.8CVSS6.8AI score0.00636EPSS
Exploits1References9Affected Software1
Positive Technologies
Positive Technologies
β€’added 2026/05/11 12:0 a.m.β€’14 views

PT-2026-39703

A vulnerability was detected in OpenClaw up to 2026.1.24. The impacted element is the function handleBlueBubblesWebhookRequest of the file extensions/bluebubbles/src/monitor.ts of the component bluebubbles Webhook. Performing a manipulation results in improper authentication. It is possible to...

7.5CVSS6.8AI score0.00636EPSS
Exploits1References10
Snyk
Snyk
β€’added 2026/03/06 1:0 a.m.β€’2 views

Missing Authentication for Critical Function

Overview openclaw is a 🦞 OpenClaw β€” Personal AI Assistant Affected versions of this package are vulnerable to Missing Authentication for Critical Function in the webhook process of the BlueBubbles plugin due to trusting the loopback remoteAddress without validating forwarding headers. An attacker...

8.2CVSS5.9AI score0.00408EPSS
Exploits0References2
NVD
NVD
β€’added 2026/03/05 10:16 p.m.β€’11 views

CVE-2026-28459

OpenClaw versions prior to 2026.2.12 fail to validate the sessionFile path parameter, allowing authenticated gateway clients to write transcript data to arbitrary locations on the host filesystem. Attackers can supply a sessionFile path outside the sessions directory to create files and append da...

8.1CVSS0.00363EPSS
Exploits0References4
Cvelist
Cvelist
β€’added 2026/03/05 9:59 p.m.β€’29 views

CVE-2026-28482 OpenClaw < 2026.2.12 - Path Traversal via Unsanitized sessionId and sessionFile Parameters

OpenClaw versions prior to 2026.2.12 construct transcript file paths using unsanitized sessionId parameters and sessionFile paths without enforcing directory containment. Authenticated attackers can exploit path traversal sequences like ../../etc/passwd in sessionId or sessionFile parameters to...

8.4CVSS0.00136EPSS
Exploits0References4
CVE
CVE
β€’added 2026/03/05 9:59 p.m.β€’15 views

CVE-2026-28464

OpenClaw is affected in versions prior to 2026.2.12. The vulnerability arises from non-constant-time string comparison used for hook token validation, enabling timing side-channel attacks. An attacker with network access to the hooks endpoint can infer the authentication token by measuring respon...

8.2CVSS5.9AI score0.00386EPSS
Exploits0References3Affected Software1
OSV
OSV
β€’added 2026/03/02 10:43 p.m.β€’4 views

GHSA-JMM5-FVH5-GF4P OpenClaw has non-constant-time token comparison in hooks authentication

Summary OpenClaw hooks previously compared the provided hook token using a regular string comparison. Because this comparison is not constant-time, an attacker with network access to the hooks endpoint could potentially use timing measurements across many requests to gradually infer the token. In...

8.2CVSS5.9AI score0.00386EPSS
Exploits0References5
OSV
OSV
β€’added 2026/03/02 10:43 p.m.β€’15 views

GHSA-47Q7-97XP-M272 OpenClaw: Config writes could persist resolved ${VAR} secrets to disk

Summary OpenClaw hooks previously compared the provided hook token using a regular string comparison. Because this comparison is not constant-time, an attacker with network access to the hooks endpoint could potentially use timing measurements across many requests to gradually infer the token. In...

6.9CVSS5.9AI score0.00284EPSS
Exploits0References5
Github Security Blog
Github Security Blog
β€’added 2026/03/02 10:43 p.m.β€’8 views

OpenClaw: Config writes could persist resolved ${VAR} secrets to disk

Summary OpenClaw hooks previously compared the provided hook token using a regular string comparison. Because this comparison is not constant-time, an attacker with network access to the hooks endpoint could potentially use timing measurements across many requests to gradually infer the token. In...

6.3CVSS5.9AI score0.00284EPSS
Exploits0References5Affected Software1
Vulnrichment
Vulnrichment
β€’added 2026/02/19 11:8 p.m.β€’3 views

CVE-2026-26972 OpenClaw has a Path Traversal in Browser Download Functionality

OpenClaw is a personal AI assistant. In versions 2026.1.12 through 2026.2.12, OpenClaw browser download helpers accepted an unsanitized output path. When invoked via the browser control gateway routes, this allowed path traversal to write downloads outside the intended OpenClaw temp downloads...

6.7CVSS5.5AI score0.00199EPSS
Exploits0References3
Cvelist
Cvelist
β€’added 2026/02/19 11:8 p.m.β€’23 views

CVE-2026-26972 OpenClaw has a Path Traversal in Browser Download Functionality

OpenClaw is a personal AI assistant. In versions 2026.1.12 through 2026.2.12, OpenClaw browser download helpers accepted an unsanitized output path. When invoked via the browser control gateway routes, this allowed path traversal to write downloads outside the intended OpenClaw temp downloads...

6.7CVSS0.00199EPSS
Exploits0References3
Snyk
Snyk
β€’added 2026/02/18 12:56 a.m.β€’6 views

Origin Validation Error

Overview openclaw is a 🦞 OpenClaw β€” Personal AI Assistant Affected versions of this package are vulnerable to Origin Validation Error via the sessionssend sourceTool. An attacker can cause privileged actions to be performed by injecting crafted inter-session prompts that are misinterpreted as...

7.1CVSS5.6AI score
Exploits0References2
Snyk
Snyk
β€’added 2026/02/17 9:33 p.m.β€’3 views

Incorrect Authorization

Overview @openclaw/bluebubbles is an OpenClaw BlueBubbles channel plugin Affected versions of this package are vulnerable to Incorrect Authorization via the webhook authentication. An attacker can gain unauthorized access and inject arbitrary webhook events by sending requests from a loopback...

7.5CVSS5.9AI score0.00319EPSS
Exploits0References2
Rows per page
Query Builder