Lucene search
+L

267 matches found

osv
osv
added 2026/07/02 4:48 p.m.8 views

GHSA-W4V6-G3WM-W36C OpenClaw: QQBot admin commands could skip DM-only and allowFrom policy

Summary QQBot admin commands could skip DM-only and allowFrom policy. In affected versions, a QQBot sender able to trigger the exported command could route admin commands without the QQBot-specific DM-only and allowFrom checks. This advisory is scoped to the named feature and configuration. It do...

9.3CVSS6AI score0.00148EPSS
Exploits0References2
euvd
euvd
added 2026/06/13 12:34 a.m.11 views

EUVD-2026-36625

OpenClaw before 2026.5.6 contains an improper access control vulnerability in Mattermost event handlers that fails to validate channel type metadata. Attackers can bypass intended DM policy decisions by sending crafted Mattermost events missing channel type information to process restricted conte...

6.3CVSS5.2AI score0.00189EPSS
Exploits0References3
cvelist
cvelist
added 2026/06/12 3:52 p.m.30 views

CVE-2026-6046 Plugin bot username conflict allows user account to be used as bot identity in Mattermost Server

Mattermost versions 11.6.x = 11.6.1, 11.5.x = 11.5.4, 10.11.x = 10.11.15, 10.11.x = 10.11.16 fail to validate that a username returned during bot registration belongs to a bot account, which allows an unprivileged attacker to intercept private messages sent by plugins via direct message channels ...

5.3CVSS0.0019EPSS
Exploits0References1
osv
osv
added 2026/06/12 3:52 p.m.3 views

CVE-2026-6046 Plugin bot username conflict allows user account to be used as bot identity in Mattermost Server

Mattermost versions 11.6.x = 11.6.1, 11.5.x = 11.5.4, 10.11.x = 10.11.15, 10.11.x = 10.11.16 fail to validate that a username returned during bot registration belongs to a bot account, which allows an unprivileged attacker to intercept private messages sent by plugins via direct message channels ...

5.3CVSS6AI score0.0019EPSS
Exploits0References3
redhatcve
redhatcve
added 2026/06/05 7:35 p.m.12 views

CVE-2026-5163

Mattermost versions 11.5.x = 11.5.1 fail to verify channel membership when processing AI-assisted message rewrites which allows an authenticated attacker to read the content of threads in private channels and direct messages they do not have access to via a crafted request to the post rewrite...

6.5CVSS5.5AI score0.00205EPSS
Exploits0References1
ptsecurity
ptsecurity
added 2026/06/05 12:0 a.m.15 views

PT-2026-48346

Name of the Vulnerable Software and Affected Versions klever-go versions prior to 1.7.18 Description An issue exists in the directMessageHandler function within the network/p2p/libp2p/netMessenger.go file. The software spawns a new goroutine for every incoming direct message before the antiflood...

7.5CVSS5.8AI score0.0005EPSS
Exploits0References5
vulnrichment
vulnrichment
added 2026/05/29 3:9 p.m.19 views

CVE-2026-34507 OpenClaw < 2026.4.29 - Policy Bypass in QQBot Admin Commands via DM-only and allowFrom Checks

OpenClaw before 2026.4.29 contains a policy bypass vulnerability in QQBot admin commands that allows authenticated senders to skip DM-only and allowFrom policy checks. Attackers can route admin commands from unauthorized senders or contexts to execute restricted behavior that policy should have...

5.4CVSS5.9AI score0.00148EPSS
Exploits0References2
cvelist
cvelist
added 2026/05/29 3:9 p.m.37 views

CVE-2026-34507 OpenClaw < 2026.4.29 - Policy Bypass in QQBot Admin Commands via DM-only and allowFrom Checks

OpenClaw before 2026.4.29 contains a policy bypass vulnerability in QQBot admin commands that allows authenticated senders to skip DM-only and allowFrom policy checks. Attackers can route admin commands from unauthorized senders or contexts to execute restricted behavior that policy should have...

5.4CVSS0.00148EPSS
Exploits0References2
nessus
nessus
added 2026/05/22 12:0 a.m.13 views

Mattermost Server 11.5.x < 11.5.2 Missing Authorization (MMSA-2026-00645)

The version of Mattermost Server installed on the remote host is affected by a vulnerability as referenced in the MMSA-2026-00645 advisory. - Mattermost versions 11.5.x = 11.5.1 fail to verify channel membership when processing AI-assisted message rewrites which allows an authenticated attacker t...

6.5CVSS5.9AI score0.00205EPSS
Exploits0References2
snyk
snyk
added 2026/05/18 11:47 a.m.9 views

Missing Authorization

Overview github.com/mattermost/mattermost/server/channels/app is a private-cloud Slack alternative Affected versions of this package are vulnerable to Missing Authorization via the post rewrite endpoint. An attacker can gain unauthorized access to the content of threads in private channels and...

7.1CVSS5.8AI score0.00205EPSS
Exploits0References2
snyk
snyk
added 2026/05/18 11:47 a.m.15 views

Missing Authorization

Overview Affected versions of this package are vulnerable to Missing Authorization via the post rewrite endpoint. An attacker can gain unauthorized access to the content of threads in private channels and direct messages by sending a crafted request. Remediation Upgrade...

7.1CVSS5.8AI score0.00205EPSS
Exploits0References2
github
github
added 2026/05/18 9:31 a.m.16 views

Mattermost doesn't verify channel membership when processing AI-assisted message rewrites

Mattermost versions 11.5.x = 11.5.1 fail to verify channel membership when processing AI-assisted message rewrites which allows an authenticated attacker to read the content of threads in private channels and direct messages they do not have access to via a crafted request to the post rewrite...

6.5CVSS5.8AI score0.00205EPSS
Exploits0References4Affected Software2
osv
osv
added 2026/05/18 9:31 a.m.8 views

GHSA-8R89-8W26-CQ32 Mattermost doesn't verify channel membership when processing AI-assisted message rewrites

Mattermost versions 11.5.x = 11.5.1 fail to verify channel membership when processing AI-assisted message rewrites which allows an authenticated attacker to read the content of threads in private channels and direct messages they do not have access to via a crafted request to the post rewrite...

6.5CVSS5.8AI score0.00205EPSS
Exploits0References4
nvd
nvd
added 2026/05/18 9:16 a.m.47 views

CVE-2026-5163

Mattermost versions 11.5.x = 11.5.1 fail to verify channel membership when processing AI-assisted message rewrites which allows an authenticated attacker to read the content of threads in private channels and direct messages they do not have access to via a crafted request to the post rewrite...

6.5CVSS0.00205EPSS
Exploits0References1
euvd
euvd
added 2026/05/18 8:11 a.m.17 views

EUVD-2026-30753

Mattermost versions 11.5.x = 11.5.1 fail to verify channel membership when processing AI-assisted message rewrites which allows an authenticated attacker to read the content of threads in private channels and direct messages they do not have access to via a crafted request to the post rewrite...

6.5CVSS5.8AI score0.00205EPSS
Exploits0References1
attackerkb
attackerkb
added 2026/05/18 8:11 a.m.8 views

CVE-2026-5163

Mattermost versions 11.5.x = 11.5.1 fail to verify channel membership when processing AI-assisted message rewrites which allows an authenticated attacker to read the content of threads in private channels and direct messages they do not have access to via a crafted request to the post rewrite...

6.5CVSS5.8AI score0.00205EPSS
Exploits0References2Affected Software1
osv
osv
added 2026/05/18 8:11 a.m.4 views

CVE-2026-5163 Missing authorization check in AI message rewrite endpoint allows access to private thread content

Mattermost versions 11.5.x = 11.5.1 fail to verify channel membership when processing AI-assisted message rewrites which allows an authenticated attacker to read the content of threads in private channels and direct messages they do not have access to via a crafted request to the post rewrite...

6.5CVSS6AI score0.00205EPSS
Exploits0References3
ptsecurity
ptsecurity
added 2026/05/18 12:0 a.m.18 views

PT-2026-41655

Name of the Vulnerable Software and Affected Versions Mattermost versions 11.5.x through 11.5.1 Description An issue exists where channel membership is not verified during the processing of AI-assisted message rewrites. This allows an authenticated attacker to read the content of threads in priva...

6.5CVSS5.8AI score0.00205EPSS
Exploits0References10
attackerkb
attackerkb
added 2026/05/15 8:29 p.m.9 views

CVE-2026-45385

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.5, an IDOR vulnerability exists in the Channels feature of Open WebUI, allowing any channel member to modify messages sent by other members including administrators within the same...

4.3CVSS5.8AI score0.00204EPSS
Exploits1References2Affected Software1
osv
osv
added 2026/05/15 8:29 p.m.5 views

CVE-2026-45385 Open WebUI: An IDOR vulnerability exists in the update_message_by_id API endpoint

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.5, an IDOR vulnerability exists in the Channels feature of Open WebUI, allowing any channel member to modify messages sent by other members including administrators within the same...

4.3CVSS5.9AI score0.00204EPSS
Exploits1References3
Rows per page
Query Builder