Lucene search
K

15 matches found

CNVD
CNVD
added 2026/04/08 12:0 a.m.5 views

OpenClaw Authorization Problem Vulnerability (CNVD-2026-16622)

OpenClaw is a command line tool for rights management. An improper access control vulnerability exists in OpenClaw versions prior to 2026.3.12, which stems from a lack of owner-level permission checking in the /config and /debug command handlers. An attacker can use this vulnerability to read or...

8.8CVSS5.8AI score0.00251EPSS
Exploits0
CVE
CVE
added 2026/03/31 11:17 a.m.10 views

CVE-2026-32920

CVE-2026-32920 : OpenClaw before 2026.3.12 automatically discovers and loads plugins from .OpenClaw/extensions/ without explicit trust verification, enabling arbitrary code execution. Attackers can place crafted workspace plugins in cloned repositories that execute when a user runs OpenClaw from ...

8.8CVSS6.1AI score0.00331EPSS
Exploits0References2Affected Software1
Positive Technologies
Positive Technologies
added 2026/03/29 12:0 a.m.10 views

PT-2026-28499

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.3.12 Description The software embeds long-lived shared gateway credentials directly within pairing setup codes. These codes are generated by the /pair API endpoint and the OpenClaw qr command. If setup codes are...

8.6CVSS5.9AI score0.00246EPSS
Exploits0References5
Positive Technologies
Positive Technologies
added 2026/03/29 12:0 a.m.5 views

PT-2026-28456

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.3.12 Description The software contains a weak authorization issue in Zalouser allowlist mode. The system incorrectly matches mutable group display names instead of stable group identifiers. This allows attackers...

9.8CVSS5.9AI score0.00335EPSS
Exploits0References8
Positive Technologies
Positive Technologies
added 2026/03/29 12:0 a.m.2 views

PT-2026-28455

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.3.12 Description OpenClaw is susceptible to an authentication bypass issue in Feishu webhook mode. This occurs when only the verificationToken is configured, and the encryptKey is not. This allows unauthenticate...

8.8CVSS6.1AI score0.00247EPSS
Exploits0References6
Github Security Blog
Github Security Blog
added 2026/03/13 8:55 p.m.15 views

OpenClaw: Zalo webhook rate limiting could be bypassed before secret validation

Summary The Zalo webhook handler applied request rate limiting only after webhook authentication succeeded. Requests with an invalid secret returned 401 but did not count against the rate limiter, allowing repeated secret guesses without triggering 429. Impact This made brute-force guessing...

6.9CVSS5.8AI score0.00272EPSS
Exploits0References7Affected Software1
OSV
OSV
added 2026/03/13 8:55 p.m.4 views

GHSA-5M9R-P9G7-679C OpenClaw: Zalo webhook rate limiting could be bypassed before secret validation

Summary The Zalo webhook handler applied request rate limiting only after webhook authentication succeeded. Requests with an invalid secret returned 401 but did not count against the rate limiter, allowing repeated secret guesses without triggering 429. Impact This made brute-force guessing...

6.9CVSS5.9AI score0.00272EPSS
Exploits0References7
Snyk
Snyk
added 2026/03/13 8:55 p.m.3 views

Improper Verification of Cryptographic Signature

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature via the webhook event validation. An attacker can inject forged events and impersonate legitimate senders by submitting crafted requests t...

9.8CVSS5.8AI score0.00247EPSS
Exploits0References2
Snyk
Snyk
added 2026/03/13 8:55 p.m.4 views

Incorrect Authorization

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Incorrect Authorization via insufficient access control in the command handler. An attacker can gain unauthorized access to privileged configuration and debugging interfaces by sending...

8.8CVSS5.9AI score0.00251EPSS
Exploits0References2
Snyk
Snyk
added 2026/03/13 8:55 p.m.8 views

Permissive Regular Expression

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Permissive Regular Expression via the matchesExecAllowlistPattern function. An attacker can bypass intended command or executable path restrictions by crafting paths that exploit overly...

9.8CVSS5.6AI score0.00406EPSS
Exploits0References3
Github Security Blog
Github Security Blog
added 2026/03/13 8:54 p.m.12 views

OpenClaw: Feishu reaction events could bypass group authorization and mention gating

Summary A Feishu reaction-originated synthetic event could misclassify a group conversation as p2p when the inbound reaction payload omitted chattype. Authorization and mention-gating logic keyed off that incorrect chat type and evaluated the event as a direct message instead of a group message...

5.8AI score
Exploits0References5Affected Software1
Snyk
Snyk
added 2026/03/13 8:54 p.m.3 views

Incorrect Authorization

Overview @openclaw/feishu is an OpenClaw Feishu/Lark channel plugin community maintained by @m1heng Affected versions of this package are vulnerable to Incorrect Authorization via the event authorization. An attacker can bypass group authorization and mention gating by crafting a synthetic reacti...

9.8CVSS5.8AI score0.00309EPSS
Exploits0References2
Snyk
Snyk
added 2026/03/13 8:54 p.m.3 views

Incorrect Authorization

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Incorrect Authorization via the browser.request. An attacker can modify or create browser profiles and persist unauthorized configuration changes by sending crafted requests to profile...

7.1CVSS5.8AI score0.00288EPSS
Exploits0References2
Snyk
Snyk
added 2026/03/13 8:54 p.m.4 views

Incorrect Authorization

Overview @openclaw/zalouser is an OpenClaw Zalo Personal Account plugin via native zca-js integration Affected versions of this package are vulnerable to Incorrect Authorization in the channels.zalouser.groups. An attacker can gain unauthorized access to restricted channels by reusing a display...

9.8CVSS5.8AI score0.00335EPSS
Exploits0References3
Github Security Blog
Github Security Blog
added 2026/03/13 8:54 p.m.13 views

OpenClaw's Zalouser allowlist authorization matched mutable group names by default

Summary OpenClaw's Zalouser allowlist mode accepted mutable group names and normalized slugs as authorization matches instead of requiring stable group IDs. In deployments that used name-based channels.zalouser.groups entries together with permissive sender allowlists, a different group could be...

5.8AI score
Exploits0References3Affected Software1
Rows per page
Query Builder