Lucene search
K

58 matches found

CVE
CVE
added 2026/06/16 6:5 p.m.17 views

CVE-2026-53857

OpenClaw before 2026.5.3 is vulnerable: the policy enforcement flaw allows Zalo display-name changes to influence allowFrom policy matching, causing attackers with mutable display names to receive responses intended for other Zalo identities when the feature is enabled. Affected product: OpenClaw...

8.6CVSS5.3AI score0.00225EPSS
Exploits0References2Affected Software1
EUVD
EUVD
added 2026/06/13 12:34 a.m.9 views

EUVD-2026-36622

OpenClaw before 2026.4.27 contains an authorization bypass vulnerability in QQBot pre-dispatch slash commands that allows authenticated senders to skip allowFrom policy checks. Attackers can invoke slash commands before configured access control policies are applied, potentially triggering comman...

8.2CVSS5.3AI score0.00192EPSS
Exploits0References3
EUVD
EUVD
added 2026/06/13 12:34 a.m.8 views

EUVD-2026-36611

OpenClaw before 2026.5.3 contains a privilege escalation vulnerability in the allowFrom feature that binds to mutable Slack display names. Attackers with Slack account access can change display name metadata to match policy entries, potentially gaining unauthorized agent access intended for other...

8.6CVSS5.2AI score0.00209EPSS
Exploits0References3
CVE
CVE
added 2026/06/12 9:56 p.m.27 views

CVE-2026-53834

OpenClaw (OpenClaw before 2026.4.27) contains an authorization bypass in QQBot pre-dispatch slash commands that allows authenticated senders to bypass allowFrom policy checks. Attackers can invoke slash commands before access control policies are applied, potentially triggering command handling f...

8.2CVSS5.4AI score0.00192EPSS
Exploits0References2Affected Software1
Cvelist
Cvelist
added 2026/06/12 9:56 p.m.28 views

CVE-2026-53834 OpenClaw < 2026.4.27 - Authorization Bypass in QQBot Pre-dispatch Slash Commands

OpenClaw before 2026.4.27 contains an authorization bypass vulnerability in QQBot pre-dispatch slash commands that allows authenticated senders to skip allowFrom policy checks. Attackers can invoke slash commands before configured access control policies are applied, potentially triggering comman...

8.2CVSS0.00192EPSS
Exploits0References2
CVE
CVE
added 2026/06/12 9:56 p.m.17 views

CVE-2026-53833

OpenClaw before 2026.4.29 contains an authorization bypass in the QQBot streaming command that lets authenticated senders mutate configuration without explicit allowFrom restrictions. Attackers can modify QQBot streaming configuration outside the intended admin policy by accessing the affected co...

7.7CVSS5.3AI score0.00172EPSS
Exploits0References2Affected Software1
Vulnrichment
Vulnrichment
added 2026/06/12 9:56 p.m.8 views

CVE-2026-53823 OpenClaw < 2026.5.3 - Privilege Escalation via Mutable Slack Display Names in allowFrom

OpenClaw before 2026.5.3 contains a privilege escalation vulnerability in the allowFrom feature that binds to mutable Slack display names. Attackers with Slack account access can change display name metadata to match policy entries, potentially gaining unauthorized agent access intended for other...

8.6CVSS5.3AI score0.00209EPSS
Exploits0References2
CVE
CVE
added 2026/06/12 9:56 p.m.23 views

CVE-2026-53823

OpenClaw is affected by a privilege-escalation vulnerability in the allowFrom feature, where binding to mutable Slack display names enables an attacker with Slack account access to alter display name metadata to match policy entries and gain unauthorized agent access intended for other identities...

8.6CVSS5.3AI score0.00209EPSS
Exploits0References2Affected Software1
Cvelist
Cvelist
added 2026/06/12 9:56 p.m.29 views

CVE-2026-53823 OpenClaw < 2026.5.3 - Privilege Escalation via Mutable Slack Display Names in allowFrom

OpenClaw before 2026.5.3 contains a privilege escalation vulnerability in the allowFrom feature that binds to mutable Slack display names. Attackers with Slack account access can change display name metadata to match policy entries, potentially gaining unauthorized agent access intended for other...

8.6CVSS0.00209EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/06/12 12:0 a.m.12 views

PT-2026-49027

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.5.3 Description A privilege escalation issue exists in the allowFrom feature, which binds to mutable Slack display names. Attackers with access to a Slack account can modify display name metadata to match policy...

8.6CVSS5.2AI score0.00209EPSS
Exploits0References6
Positive Technologies
Positive Technologies
added 2026/06/12 12:0 a.m.10 views

PT-2026-49038

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.4.27 Description An authorization bypass exists in QQBot pre-dispatch slash commands. This issue allows authenticated senders to skip allowFrom policy checks, enabling them to invoke slash commands before...

8.2CVSS5.3AI score0.00192EPSS
Exploits0References5
NVD
NVD
added 2026/06/11 9:16 p.m.9 views

CVE-2026-53811

OpenClaw before 2026.5.7 contains a privilege escalation vulnerability in the Matrix allowFrom feature that allows authenticated accounts to match policy entries through mutable display name metadata. Attackers with the ability to change display names can receive agent access intended for another...

8.8CVSS0.00309EPSS
Exploits0References2
NVD
NVD
added 2026/06/11 9:16 p.m.9 views

CVE-2026-53807

OpenClaw before 2026.5.6 contains an authorization bypass vulnerability in Telegram interactive callbacks that allows authenticated users to skip commands.allowFrom validation. Attackers can invoke affected callbacks to mark themselves as authorized senders before allowlist checks are applied,...

8.8CVSS0.00312EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2026/06/11 8:7 p.m.8 views

CVE-2026-53811 OpenClaw < 2026.5.7 - Privilege Escalation via Mutable Display Names in Matrix allowFrom

OpenClaw before 2026.5.7 contains a privilege escalation vulnerability in the Matrix allowFrom feature that allows authenticated accounts to match policy entries through mutable display name metadata. Attackers with the ability to change display names can receive agent access intended for another...

8.8CVSS5.2AI score0.00309EPSS
Exploits0References2
CVE
CVE
added 2026/06/11 8:7 p.m.16 views

CVE-2026-53811

OpenClaw is affected up to version 2026.5.7. The vulnerability is a privilege escalation in the Matrix allowFrom feature caused by mutable display name metadata, allowing authenticated accounts to match policy entries and receive agent access intended for another Matrix identity. Depending on ope...

8.8CVSS5.5AI score0.00309EPSS
Exploits0References2Affected Software1
EUVD
EUVD
added 2026/06/11 8:7 p.m.8 views

EUVD-2026-36317

OpenClaw before 2026.5.7 contains a privilege escalation vulnerability in the Matrix allowFrom feature that allows authenticated accounts to match policy entries through mutable display name metadata. Attackers with the ability to change display names can receive agent access intended for another...

8.8CVSS5.5AI score0.00309EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/06/11 8:5 p.m.30 views

CVE-2026-53807 OpenClaw < 2026.5.6 - Authorization Bypass in Telegram Interactive Callbacks via commands.allowFrom

OpenClaw before 2026.5.6 contains an authorization bypass vulnerability in Telegram interactive callbacks that allows authenticated users to skip commands.allowFrom validation. Attackers can invoke affected callbacks to mark themselves as authorized senders before allowlist checks are applied,...

8.8CVSS0.00312EPSS
Exploits0References2
EUVD
EUVD
added 2026/06/11 8:5 p.m.12 views

EUVD-2026-36313

OpenClaw before 2026.5.6 contains an authorization bypass vulnerability in Telegram interactive callbacks that allows authenticated users to skip commands.allowFrom validation. Attackers can invoke affected callbacks to mark themselves as authorized senders before allowlist checks are applied,...

8.8CVSS5.5AI score0.00312EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/06/11 12:0 a.m.12 views

PT-2026-48737

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.5.6 Description An authorization bypass exists in Telegram interactive callbacks. Authenticated users can bypass the commands.allowFrom validation by invoking affected callbacks to mark themselves as authorized...

8.8CVSS5.5AI score0.00312EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/05/29 12:0 a.m.14 views

PT-2026-44895

OpenClaw before 2026.4.29 contains a policy bypass vulnerability in QQBot admin commands that allows authenticated senders to skip DM-only and allowFrom policy checks. Attackers can route admin commands from unauthorized senders or contexts to execute restricted behavior that policy should have...

5.4CVSS5.9AI score0.00148EPSS
Exploits0References3
Rows per page
Query Builder