Lucene search
K

38 matches found

OSV
OSV
added 2026/07/02 4:56 p.m.5 views

GHSA-77PV-3W4Q-VRJ5 OpenClaw: QQBot pre-dispatch slash commands could skip allowFrom checks

Summary QQBot pre-dispatch slash commands could skip allowFrom checks. In affected versions, a QQBot sender able to invoke slash commands could dispatch the command before applying the configured allowFrom policy. This advisory is scoped to the named feature and configuration. It does not change...

6.9CVSS6AI score0.00192EPSS
Exploits0References2
OSV
OSV
added 2026/07/02 4:48 p.m.7 views

GHSA-W4V6-G3WM-W36C OpenClaw: QQBot admin commands could skip DM-only and allowFrom policy

Summary QQBot admin commands could skip DM-only and allowFrom policy. In affected versions, a QQBot sender able to trigger the exported command could route admin commands without the QQBot-specific DM-only and allowFrom checks. This advisory is scoped to the named feature and configuration. It do...

9.3CVSS6AI score0.00148EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/18 8:36 p.m.8 views

User Impersonation

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to User Impersonation via the allowFrom process. An attacker can gain unauthorized access to agent privileges intended for another Discord identity by exploiting mutable display name metadat...

8.6CVSS5.9AI score0.00267EPSS
Exploits0References2
OSV
OSV
added 2026/06/16 6:5 p.m.3 views

CVE-2026-53854 OpenClaw < 2026.4.25 - Privilege Escalation via ownerAllowFrom Wildcard Inheritance in Internal/Webchat Commands

OpenClaw before 2026.4.25 contains a privilege escalation vulnerability in internal and webchat command authentication that allows senders to inherit wildcard ownerAllowFrom state across channel boundaries. Attackers can exploit this by sending commands on affected internal or webchat paths to...

6CVSS6AI score0.00245EPSS
Exploits0References5
Positive Technologies
Positive Technologies
added 2026/06/16 12:0 a.m.15 views

PT-2026-49771

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.4.25 Description An issue in internal and webchat command authentication allows senders to inherit wildcard ownerAllowFrom state across channel boundaries. This enables attackers to send commands on affected...

6.5CVSS5.5AI score0.00245EPSS
Exploits0References5
Positive Technologies
Positive Technologies
added 2026/06/16 12:0 a.m.14 views

PT-2026-49774

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.5.3 Description A policy enforcement issue exists where Zalo contacts with mutable display metadata can match allowFrom policy entries by changing their display names. This allows attackers with mutable display...

8.6CVSS5.2AI score0.00225EPSS
Exploits0References5
OSV
OSV
added 2026/06/12 9:56 p.m.4 views

CVE-2026-53833 QQBot for OpenClaw < 2026.4.29 - Authorization Bypass via QQBot Streaming Command

OpenClaw before 2026.4.29 contains an authorization bypass vulnerability in the QQBot streaming command that allows authenticated senders to mutate configuration without explicit allowFrom restrictions. Attackers can modify QQBot streaming configuration outside intended admin policy by reaching t...

7.4CVSS5.9AI score0.00172EPSS
Exploits0References5
Cvelist
Cvelist
added 2026/06/11 8:7 p.m.32 views

CVE-2026-53811 OpenClaw < 2026.5.7 - Privilege Escalation via Mutable Display Names in Matrix allowFrom

OpenClaw before 2026.5.7 contains a privilege escalation vulnerability in the Matrix allowFrom feature that allows authenticated accounts to match policy entries through mutable display name metadata. Attackers with the ability to change display names can receive agent access intended for another...

8.8CVSS0.00309EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2026/06/11 8:5 p.m.13 views

CVE-2026-53807 OpenClaw < 2026.5.6 - Authorization Bypass in Telegram Interactive Callbacks via commands.allowFrom

OpenClaw before 2026.5.6 contains an authorization bypass vulnerability in Telegram interactive callbacks that allows authenticated users to skip commands.allowFrom validation. Attackers can invoke affected callbacks to mark themselves as authorized senders before allowlist checks are applied,...

8.8CVSS5.2AI score0.00312EPSS
Exploits0References2
CVE
CVE
added 2026/06/11 8:5 p.m.26 views

CVE-2026-53807

OpenClaw prior to 2026.5.6 is vulnerable to an authorization bypass in Telegram interactive callbacks via commands.allowFrom. An authenticated user can invoke affected callbacks to bypass allowlist validation and mark themselves as authorized senders, enabling command behavior outside Telegram se...

8.8CVSS5.5AI score0.00312EPSS
Exploits0References2Affected Software1
NVD
NVD
added 2026/05/29 4:16 p.m.18 views

CVE-2026-34507

OpenClaw before 2026.4.29 contains a policy bypass vulnerability in QQBot admin commands that allows authenticated senders to skip DM-only and allowFrom policy checks. Attackers can route admin commands from unauthorized senders or contexts to execute restricted behavior that policy should have...

5.4CVSS0.00148EPSS
Exploits0References2
EUVD
EUVD
added 2026/05/29 3:9 p.m.19 views

EUVD-2026-33334

OpenClaw before 2026.4.29 contains a policy bypass vulnerability in QQBot admin commands that allows authenticated senders to skip DM-only and allowFrom policy checks. Attackers can route admin commands from unauthorized senders or contexts to execute restricted behavior that policy should have...

5.4CVSS5.9AI score0.00148EPSS
Exploits0References2
CVE
CVE
added 2026/05/29 3:9 p.m.28 views

CVE-2026-34507

OpenClaw vulnerable before 2026.4.29: policy bypass in QQBot admin commands allows authenticated senders to skip DM-only and allowFrom checks, enabling routing of admin commands from unauthorized senders/contexts to execute restricted behavior. CVSS metrics: CVSS 4.0 base 2.3 (LOW) and CVSS 3.1 b...

5.4CVSS5.9AI score0.00148EPSS
Exploits0References2Affected Software1
ATTACKERKB
ATTACKERKB
added 2026/05/29 3:9 p.m.12 views

CVE-2026-34507

OpenClaw before 2026.4.29 contains a policy bypass vulnerability in QQBot admin commands that allows authenticated senders to skip DM-only and allowFrom policy checks. Attackers can route admin commands from unauthorized senders or contexts to execute restricted behavior that policy should have...

5.4CVSS5.9AI score0.00148EPSS
Exploits0References3
Vulnrichment
Vulnrichment
added 2026/05/29 3:9 p.m.19 views

CVE-2026-34507 OpenClaw < 2026.4.29 - Policy Bypass in QQBot Admin Commands via DM-only and allowFrom Checks

OpenClaw before 2026.4.29 contains a policy bypass vulnerability in QQBot admin commands that allows authenticated senders to skip DM-only and allowFrom policy checks. Attackers can route admin commands from unauthorized senders or contexts to execute restricted behavior that policy should have...

5.4CVSS5.9AI score0.00148EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/05/29 3:9 p.m.37 views

CVE-2026-34507 OpenClaw < 2026.4.29 - Policy Bypass in QQBot Admin Commands via DM-only and allowFrom Checks

OpenClaw before 2026.4.29 contains a policy bypass vulnerability in QQBot admin commands that allows authenticated senders to skip DM-only and allowFrom policy checks. Attackers can route admin commands from unauthorized senders or contexts to execute restricted behavior that policy should have...

5.4CVSS0.00148EPSS
Exploits0References2
OSV
OSV
added 2026/05/29 3:9 p.m.9 views

CVE-2026-34507 OpenClaw < 2026.4.29 - Policy Bypass in QQBot Admin Commands via DM-only and allowFrom Checks

OpenClaw before 2026.4.29 contains a policy bypass vulnerability in QQBot admin commands that allows authenticated senders to skip DM-only and allowFrom policy checks. Attackers can route admin commands from unauthorized senders or contexts to execute restricted behavior that policy should have...

2.3CVSS6.1AI score0.00148EPSS
Exploits0References4
Github Security Blog
Github Security Blog
added 2026/05/11 6:31 p.m.14 views

Duplicate Advisory: OpenClaw: Owner-enforced commands could accept wildcard channel senders as command owners

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-c28g-vh7m-fm7v. This link is maintained to preserve external references. Original Description OpenClaw before 2026.4.21 contains an authorization bypass vulnerability in command-auth.ts that allows non-owner...

4.2CVSS5.8AI score0.00237EPSS
Exploits0References6Affected Software1
NVD
NVD
added 2026/05/11 6:16 p.m.25 views

CVE-2026-44991

OpenClaw before 2026.4.21 contains an authorization bypass vulnerability in command-auth.ts that allows non-owner senders to execute owner-enforced slash commands when wildcard inbound senders are configured without explicit owner allowFrom settings. Attackers can exploit this by sending commands...

4.2CVSS0.00237EPSS
Exploits0References4
CVE
CVE
added 2026/05/11 4:46 p.m.20 views

CVE-2026-44991

CVE-2026-44991 affects OpenClaw prior to 2026.4.21. A vulnerability in command-auth.ts allows non-owner senders to execute owner-enforced slash commands when wildcard inbound senders are configured without explicit owner allowFrom settings. This bypasses owner-only command authorization checks on...

4.2CVSS5.9AI score0.00237EPSS
Exploits0References4Affected Software1
Rows per page
Query Builder