PT-2026-39717

Name of the Vulnerable Software and Affected Versions Bitwarden Server versions prior to 2026.4.1 Description An issue exists where master-password re-authentication is not required when retrieving or rotating an organization's SCIM API key. This allows an authenticated user with SCIM management...

PT-2026-39681

OpenClaw versions 2026.4.5 before 2026.4.20 contain an environment variable injection vulnerability allowing workspace dotenv to override MINIMAX API HOST. Attackers can redirect credentialed MiniMax API requests to attacker-controlled origins, exposing the MiniMax API key in Authorization header...

CVE-2026-8198 Activity Logs, User Activity Tracking, Multisite Activity Log from Logtivity <= 3.3.6 - Unauthenticated Information Disclosure via REST API

The Activity Logs, User Activity Tracking, Multisite Activity Log from Logtivity plugin for WordPress is vulnerable to Authentication Bypass to Information Disclosure in versions up to, and including, 3.3.6. This is due to a logic flaw in the verifyAuthorization method where requests without an...

OpenTelemetry.Exporter.Instana bypasses TLS certificate validation when a proxy is configured

Summary The OpenTelemetry.Exporter.Instana NuGet package does not validate HTTPS/TLS certificates are valid when sending telemetry to a configured Instana back-end when a proxy is configured using the INSTANAENDPOINTPROXY environment variable. If a network attacker can Man-in-the-Middle MitM the...

gmaps-mcp's unauthenticated HTTP transport allows unlimited Google Maps API calls at operator expense

Unauthenticated HTTP Transport Allows Unlimited Google Maps API Calls at Operator Expense The gmaps-mcp codebase was reviewed at commit e671db68c804c9e67d51582d3280839ffa65f127 and three issues worth flagging were discovered — one high-severity, one medium, one structural. There were no...

CVE-2026-41487

Langfuse is an open source large language model engineering platform. From version 3.68.0 to before version 3.167.0, there is a role-based-access control flaw in the LLM connection update flow. An authenticated, low-privileged user of role “member” in a project could request the update of an...

CVE-2026-41487 Langfuse: Improper role-based-access control in Langfuse LLM connection management allowed users of role “member” to retrieve stored LLM provider API keys

Langfuse is an open source large language model engineering platform. From version 3.68.0 to before version 3.167.0, there is a role-based-access control flaw in the LLM connection update flow. An authenticated, low-privileged user of role “member” in a project could request the update of an...

CVE-2026-41487

Langfuse is an open source large language model engineering platform. From version 3.68.0 to before version 3.167.0, there is a role-based-access control flaw in the LLM connection update flow. An authenticated, low-privileged user of role “member” in a project could request the update of an...

CVE-2026-42208

LiteLLM proxy (AI Gateway) versions 1.81.16–1.83.6 suffer a SQL injection in the proxy API key verification path where the caller-supplied key is interpolated into a SQL query during error handling. An unauthenticated attacker can send a crafted Authorization header to LLM routes (e.g., POST /cha...

PT-2026-39240

Name of the Vulnerable Software and Affected Versions OpenTelemetry.Exporter.Instana affected versions not specified Description The OpenTelemetry.Exporter.Instana NuGet package fails to validate HTTPS/TLS certificates when sending telemetry to an Instana back-end if a proxy is configured via the...

ShellHub has cross-tenant IDOR in `GET /api/namespaces/:tenant` via API Key bypasses membership check

Summary GET /api/namespaces/:tenant returns the full namespace object — including the members list user IDs, e-mails, roles, settings, and device counts — to any caller authenticated by an API Key, for any tenant, regardless of the API Key's own tenant scope. The handler conditionally skips the...

ogham-mcp had credentials embedded in published PyPI sdists -- Neon postgres URLs and Voyage API key

Summary Between 2026-02 and 2026-04-24 a total of 22 public PyPI sdists of ogham-mcp contained development credentials embedded in source files. All credentials have since been rotated on the respective providers. No known exploitation. Upgrade to v0.11.1 to get a clean release. What was leaked |...

GHSA-8PQQ-224H-X875 ogham-mcp had credentials embedded in published PyPI sdists -- Neon postgres URLs and Voyage API key

Summary Between 2026-02 and 2026-04-24 a total of 22 public PyPI sdists of ogham-mcp contained development credentials embedded in source files. All credentials have since been rotated on the respective providers. No known exploitation. Upgrade to v0.11.1 to get a clean release. What was leaked |...

quarkus-openapi-generator has overly broad path-parameter matching that sends authentication headers to unintended operations

Summary The generated authentication filter matches OpenAPI path templates too broadly when deciding whether to attach credentials. A security scheme configured for one operation can therefore be applied to a different same-method operation whose path only partially resembles the protected...

CVE-2026-42226

The CVE concerns n8n, an open source workflow automation platform. Before versions 1.123.33 and 2.17.5, the dynamic-node-parameters endpoints did not verify whether the authenticated caller was authorized to use a supplied credential reference. An authenticated user with access to a shared workfl...

CVE-2026-42226 n8n: Credential Authorization Bypass in dynamic-node-parameters Allows Foreign API Key Replay

n8n is an open source workflow automation platform. Prior to versions 1.123.33 and 2.17.5, the dynamic-node-parameters endpoints did not verify whether the authenticated caller was authorized to use a supplied credential reference. An authenticated user with access to a shared workflow could supp...

PT-2026-37202

Name of the Vulnerable Software and Affected Versions Quarkus OpenAPI Generator versions prior to 2.11.1-lts Quarkus OpenAPI Generator versions prior to 2.16.0-lts Quarkus OpenAPI Generator versions prior to 2.17.0 Description The generated authentication filter matches OpenAPI path templates too...

clan-nxt-toolkit

🔴 CLAN NXT Toolkit ██████╗██╗ █████╗ ███╗ ██╗...

GHSA-R4V6-9FQC-W5JR n8n's Credential Authorization Bypass in dynamic-node-parameters Allows Foreign API Key Replay

Impact The dynamic-node-parameters endpoints did not verify whether the authenticated caller was authorized to use a supplied credential reference. An authenticated user with access to a shared workflow could supply a foreign credential ID in the request body, causing the backend to decrypt and u...

OpenClaw: Workspace dotenv MiniMax host override could redirect credentialed requests

Affected Packages / Versions - Package: openclaw npm - Affected versions: = 2026.4.5, 2026.4.20 - Patched version: 2026.4.20 Impact A malicious workspace .env could set MINIMAXAPIHOST and redirect credentialed MiniMax requests to an attacker-controlled origin, exposing the MiniMax API key in the...