Lucene search
K

10 matches found

NVD
NVD
added 2026/04/28 12:16 a.m.6 views

CVE-2026-41367

OpenClaw versions 2026.2.14 through 2026.3.24 fail to consistently apply guild and channel policy gates to Discord button and component interactions. Attackers can trigger privileged component actions from blocked contexts by bypassing channel policy enforcement...

5.3CVSS0.00166EPSS
Exploits0References2
EUVD
EUVD
added 2026/04/27 11:24 p.m.6 views

EUVD-2026-25947

OpenClaw versions 2026.2.14 through 2026.3.24 fail to consistently apply guild and channel policy gates to Discord button and component interactions. Attackers can trigger privileged component actions from blocked contexts by bypassing channel policy enforcement...

5.3CVSS5.1AI score0.00166EPSS
Exploits0References2
NVD
NVD
added 2026/04/10 5:17 p.m.4 views

CVE-2026-35621

OpenClaw before 2026.3.24 contains a privilege escalation vulnerability where the /allowlist command fails to re-validate gateway client scopes for internal callers, allowing operator.write-scoped clients to mutate channel authorization policy. Attackers can exploit chat.send to build an internal...

7.1CVSS0.00264EPSS
Exploits1References2
EUVD
EUVD
added 2026/04/10 4:3 p.m.5 views

EUVD-2026-21434

OpenClaw before 2026.3.24 contains a privilege escalation vulnerability where the /allowlist command fails to re-validate gateway client scopes for internal callers, allowing operator.write-scoped clients to mutate channel authorization policy. Attackers can exploit chat.send to build an internal...

7.1CVSS5.8AI score0.00264EPSS
Exploits1References2
Vulnrichment
Vulnrichment
added 2026/04/10 4:3 p.m.4 views

CVE-2026-35621 OpenClaw < 2026.3.24 - Privilege Escalation via chat.send to Allowlist Persistence

OpenClaw before 2026.3.24 contains a privilege escalation vulnerability where the /allowlist command fails to re-validate gateway client scopes for internal callers, allowing operator.write-scoped clients to mutate channel authorization policy. Attackers can exploit chat.send to build an internal...

7.1CVSS5.8AI score0.00264EPSS
Exploits1References2
Positive Technologies
Positive Technologies
added 2026/04/10 12:0 a.m.5 views

PT-2026-31956

OpenClaw before 2026.3.24 contains a privilege escalation vulnerability where the /allowlist command fails to re-validate gateway client scopes for internal callers, allowing operator.write-scoped clients to mutate channel authorization policy. Attackers can exploit chat.send to build an internal...

7.1CVSS5.8AI score0.00264EPSS
Exploits1References3
Github Security Blog
Github Security Blog
added 2026/03/31 11:58 p.m.11 views

OpenClaw's Discord component interaction ingress skips guild/channel policy enforcement

Summary Discord button and component interaction ingress did not consistently reapply the same guild and channel policy gates used for normal inbound messages. Impact Users could trigger privileged component actions from contexts that should have been blocked by Discord channel policy. Affected...

5.8AI score
Exploits0References4Affected Software1
OSV
OSV
added 2026/03/31 11:58 p.m.2 views

GHSA-JP4J-Q5FC-58GV OpenClaw's Discord component interaction ingress skips guild/channel policy enforcement

Summary Discord button and component interaction ingress did not consistently reapply the same guild and channel policy gates used for normal inbound messages. Impact Users could trigger privileged component actions from contexts that should have been blocked by Discord channel policy. Affected...

5.3CVSS5.8AI score
Exploits0References4
OSV
OSV
added 2026/03/03 7:50 p.m.2 views

GHSA-RM2P-J3R7-4X4J OpenClaw's Slack reaction/pin sender-policy consistency issue in non-message ingress

Summary OpenClaw Slack monitor handled reaction and pin non-message events before applying sender-policy checks consistently. In affected versions, these events could be added to system-event context even when sender policy would not normally allow them. Affected Packages / Versions - Package: np...

5.3CVSS5.9AI score0.00204EPSS
Exploits0References6
Positive Technologies
Positive Technologies
added 2022/11/17 12:0 a.m.4 views

PT-2022-24948 · Unknown · Lightning Network Daemon

Name of the Vulnerable Software and Affected Versions: Lightning Network Daemon lnd versions prior to 0.15.4 Description: The issue is related to a block parsing bug that can cause a node to enter a degraded state. In this state, nodes can continue to make payments and forward HTLCs, and close ou...

8.2CVSS6.2AI score0.00999EPSS
Exploits1References9
Rows per page
Query Builder