Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in
🔥 Daily Hot!
💪🏽 CPE Enhanced Advisories
🕶 Shadow Exploits
🕵🏼 Vulners CPE
🔐 Security news
💻 Exploit updates
📑 Blogs review
🐧 Linux vulnerabilities
🐞 Bugbounty
🤖 AI High Score
📰 CVE Feed
show all

46 matches found

OSV
OSVadded 2026/03/04 6:58 p.m.3 views

GHSA-F6H3-846H-2R8W OpenClaw's elevated allowFrom accepted broader identity signals than specified within sender-scoped authorization

Summary In certain elevated-mode configurations, tools.elevated.allowFrom accepted broader identity signals than intended. The fix tightens matching to sender-scoped identity by default and makes mutable metadata matching explicit. Context OpenClaw is commonly used in 1:1 chats or trusted group...

5.3CVSS5.9AI score
Exploits0References3
Snyk
Snykadded 2026/03/04 6:58 p.m.3 views

Authorization Bypass Through User-Controlled Key

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key in the tools.elevated.allowFrom process. An attacker can gain unauthorized elevated access by providing broader identity signals than...

5.3CVSS5.8AI score
Exploits0References2
OSV
OSVadded 2026/03/03 9:41 p.m.2 views

GHSA-J4XF-96QF-RX69 OpenClaw has a Feishu allowFrom authorization bypass via display-name collision

Summary Feishu allowlist authorization could be bypassed by display-name collision. Details channels.feishu.allowFrom is documented as an ID-based allowlist openid list, but Feishu policy matching accepted mutable sender display names in the same namespace. An attacker could set a display name...

6.5CVSS5.9AI score0.00042EPSS
Exploits0References5
Snyk
Snykadded 2026/02/17 10:56 p.m.2 views

Incorrect Authorization

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Incorrect Authorization via the allowFrom. An attacker can gain unauthorized access by exploiting the acceptance of mutable email principals in authorization checks. Note: This is only...

3.3CVSS5.7AI score
Exploits0References3
OSV
OSVadded 2026/02/17 9:37 p.m.5 views

GHSA-33RQ-M5X2-FVGF OpenClaw Twitch allowFrom is not enforced in optional plugin, unauthorized chat users can trigger agent pipeline

Summary In the optional Twitch channel plugin extensions/twitch, allowFrom is documented as a hard allowlist of Twitch user IDs, but it was not enforced as a hard gate. If allowedRoles is unset or empty, the access control path defaulted to allow, so any Twitch user who could mention the bot coul...

7.3CVSS5.9AI score0.0012EPSS
Exploits1References6
Snyk
Snykadded 2026/02/17 9:34 p.m.4 views

User Impersonation

Overview @openclaw/matrix is an OpenClaw Matrix channel plugin Affected versions of this package are vulnerable to User Impersonation via channels.matrix.dm.allowFrom. An attacker can impersonate an allowed identity and gain unauthorized access to the routing or agent pipeline by manipulating...

6.9CVSS5.8AI score0.00044EPSS
Exploits0References2
Rows per page
Query Builder