37 matches found
EUVD-2026-43565
OpenClaw Feishu tools npm package @openclaw/feishu in versions = 2026.6.6 could ignore per-account disablement. A lower-trust caller or a configured input path could perform actions that should have required a stronger authorization or policy check, resulting in unauthorized operations. The issue...
EUVD-2026-43566
OpenClaw @openclaw/feishu versions 2026.6.6 and earlier contain an incorrect authorization vulnerability in which the Feishu permission tools could ignore per-account disablement settings. When the affected feature is enabled and reachable, a lower-trust caller or configured input path could...
CVE-2026-62188
OpenClaw @openclaw/feishu versions 2026.6.6 and earlier contain an incorrect authorization vulnerability in which the Feishu permission tools could ignore per-account disablement settings. When the affected feature is enabled and reachable, a lower-trust caller or configured input path could...
CVE-2026-62187
OpenClaw Feishu tools npm package @openclaw/feishu in versions = 2026.6.6 could ignore per-account disablement. A lower-trust caller or a configured input path could perform actions that should have required a stronger authorization or policy check, resulting in unauthorized operations. The issue...
CVE-2026-62188 OpenClaw < 2026.6.9 Feishu Authorization Bypass
OpenClaw @openclaw/feishu versions 2026.6.6 and earlier contain an incorrect authorization vulnerability in which the Feishu permission tools could ignore per-account disablement settings. When the affected feature is enabled and reachable, a lower-trust caller or configured input path could...
CVE-2026-62188 OpenClaw < 2026.6.9 Feishu Authorization Bypass
OpenClaw @openclaw/feishu versions 2026.6.6 and earlier contain an incorrect authorization vulnerability in which the Feishu permission tools could ignore per-account disablement settings. When the affected feature is enabled and reachable, a lower-trust caller or configured input path could...
CVE-2026-62188
OpenClaw @openclaw/feishu (versions
CVE-2026-62187 OpenClaw < 2026.6.9 Feishu tools Authorization Bypass
OpenClaw Feishu tools npm package @openclaw/feishu in versions = 2026.6.6 could ignore per-account disablement. A lower-trust caller or a configured input path could perform actions that should have required a stronger authorization or policy check, resulting in unauthorized operations. The issue...
CVE-2026-62187 OpenClaw < 2026.6.9 Feishu tools Authorization Bypass
OpenClaw Feishu tools npm package @openclaw/feishu in versions = 2026.6.6 could ignore per-account disablement. A lower-trust caller or a configured input path could perform actions that should have required a stronger authorization or policy check, resulting in unauthorized operations. The issue...
CVE-2026-62187
The CVE affects the npm package @openclaw/feishu (OpenClaw Feishu tools). Versions up to and including 2026.6.6 could ignore per-account disablement, allowing a lower-trust caller or a configured input path to perform actions that should require stronger authorization. The consequence is unauthor...
PT-2026-57889
Name of the Vulnerable Software and Affected Versions @openclaw/feishu versions prior to 2026.6.9 Description The software may ignore per-account disablement, allowing a lower-trust caller or a configured input path to perform actions that require stronger authorization or policy checks. This can...
CVE-2026-46657 Bludit's persistent authentication tokens not revoked upon account disablement
Bludit is a content management system. Versions prior to 3.22.0 have a vulnerability in the user management logic that allows deactivated accounts to maintain access via persistent authentication tokens. When an administrator disables a user account, the application fails to invalidate or clear t...
EUVD-2026-35085
Bludit is a content management system. Versions prior to 3.22.0 have a vulnerability in the user management logic that allows deactivated accounts to maintain access via persistent authentication tokens. When an administrator disables a user account, the application fails to invalidate or clear t...
CVE-2026-46657 Bludit's persistent authentication tokens not revoked upon account disablement
Bludit is a content management system. Versions prior to 3.22.0 have a vulnerability in the user management logic that allows deactivated accounts to maintain access via persistent authentication tokens. When an administrator disables a user account, the application fails to invalidate or clear t...
CVE-2026-46657 Bludit's persistent authentication tokens not revoked upon account disablement
Bludit is a content management system. Versions prior to 3.22.0 have a vulnerability in the user management logic that allows deactivated accounts to maintain access via persistent authentication tokens. When an administrator disables a user account, the application fails to invalidate or clear t...
CVE-2026-4913
Improper protection of an alternate path in Ivanti N-ITSM before version 2025.4 allows a remote authenticated attacker to retain access when their account has been disabled...
CVE-2026-44873
A session management vulnerability in AOS-8 allows previously authenticated users to retain network access after their accounts are administratively disabled. Existing sessions are not invalidated when credentials are revoked, enabling continued access until session expiration. An attacker with...
EUVD-2026-29822
A session management vulnerability in AOS-8 allows previously authenticated users to retain network access after their accounts are administratively disabled. Existing sessions are not invalidated when credentials are revoked, enabling continued access until session expiration. An attacker with...
CVE-2026-43983
Pocket ID is an OIDC provider that allows users to authenticate with their passkeys to your services. Prior to 2.6.0, The createTokenFromRefreshToken function oidcservice.go validates the refresh token's cryptographic integrity but does not re-validate the user's current authorization state befor...
CVE-2026-43983 Pocket ID: OIDC refresh token flow bypasses authorization revocation, account disabling, and group restrictions
Pocket ID is an OIDC provider that allows users to authenticate with their passkeys to your services. Prior to 2.6.0, The createTokenFromRefreshToken function oidcservice.go validates the refresh token's cryptographic integrity but does not re-validate the user's current authorization state befor...