269 matches found
CVE-2026-33410
Discourse is an open-source discussion platform. Versions prior to 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 have two authorization issues in the chat direct message API. First, when creating a direct message channel or adding users to an existing one, the targetgroups parameter was passed direct...
CVE-2026-22170
OpenClaw versions prior to 2026.2.22 with the optional BlueBubbles plugin contain an access control bypass vulnerability where empty allowFrom configuration causes dmPolicy pairing and allowlist restrictions to be ineffective. Remote attackers can send direct messages to BlueBubbles accounts by...
PT-2026-31763
Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.3.22 Description OpenClaw before version 2026.3.22 performs cryptographic and dispatch operations on inbound Nostr direct messages before validating sender and pairing policies. Attackers can trigger unauthorize...
OpenClaw has an unspecified vulnerability (CNVD-2026-14834)
OpenClaw is an intelligent artificial assistant open-sourced by OpenClaw. OpenClaw has a security vulnerability that stems from not enforcing dmPolicy and allowFrom authorization checks on Discord direct message response notifications, which can be exploited by an attacker to bypass DM...
Duplicate Advisory: OpenClaw's Signal reaction-only status events could, in limited cases, be enqueued before access checks
Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-792q-qw95-f446. This link is maintained to preserve external references. Original Description OpenClaw versions prior to 2026.2.25 contain an access control vulnerability in signal reaction notification handling...
CVE-2026-32899 OpenClaw < 2026.2.25 - Sender Policy Bypass in Slack Reaction and Pin Event Handlers
OpenClaw versions prior to 2026.2.25 fail to consistently apply sender-policy checks to reaction and pin non-message events before adding them to system-event context. Attackers can bypass configured DM policies and channel user allowlists to inject unauthorized reaction and pin events from...
CVE-2026-32067 OpenClaw < 2026.2.26 - Cross-Account Authorization Bypass in DM Pairing Store
OpenClaw versions prior to 2026.2.26 contain an authorization bypass vulnerability in the pairing-store access control for direct message pairing policy that allows attackers to reuse pairing approvals across multiple accounts. An attacker approved as a sender in one account can be automatically...
The Danger Behind Meta Killing End-to-End Encryption for Instagram DMs
Meta blamed users for not opting into the privacy-protecting feature. Experts fear the move could be the first major domino to fall for end-to-end encryption tech worldwide...
CVE-2026-32028
OpenClaw versions prior to 2026.2.25 fail to enforce dmPolicy and allowFrom authorization checks on Discord direct-message reaction notifications, allowing non-allowlisted users to enqueue reaction-derived system events. Attackers can exploit this inconsistency by reacting to bot-authored DM...
CVE-2026-32028 OpenClaw < 2026.2.25 - Missing Authorization Check in Discord DM Reaction Ingress
OpenClaw versions prior to 2026.2.25 fail to enforce dmPolicy and allowFrom authorization checks on Discord direct-message reaction notifications, allowing non-allowlisted users to enqueue reaction-derived system events. Attackers can exploit this inconsistency by reacting to bot-authored DM...
CVE-2026-32028 OpenClaw < 2026.2.25 - Missing Authorization Check in Discord DM Reaction Ingress
OpenClaw versions prior to 2026.2.25 fail to enforce dmPolicy and allowFrom authorization checks on Discord direct-message reaction notifications, allowing non-allowlisted users to enqueue reaction-derived system events. Attackers can exploit this inconsistency by reacting to bot-authored DM...
CVE-2026-32028
OpenClaw versions prior to 2026.2.25 fail to enforce dmPolicy and allowFrom authorization checks on Discord direct-message reaction notifications, allowing non-allowlisted users to enqueue reaction-derived system events. Attackers can exploit this inconsistency by reacting to bot-authored DM...
CVE-2026-32028
OpenClaw
CVE-2026-32028 OpenClaw < 2026.2.25 - Missing Authorization Check in Discord DM Reaction Ingress
OpenClaw versions prior to 2026.2.25 fail to enforce dmPolicy and allowFrom authorization checks on Discord direct-message reaction notifications, allowing non-allowlisted users to enqueue reaction-derived system events. Attackers can exploit this inconsistency by reacting to bot-authored DM...
EUVD-2026-13302
OpenClaw versions prior to 2026.2.26 contain an authorization bypass vulnerability where DM pairing-store identities are incorrectly eligible for group allowlist authorization checks. Attackers can exploit this cross-context authorization flaw by using a sender approved via DM pairing to satisfy...
EUVD-2026-13341
Discourse is an open-source discussion platform. Versions prior to 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 have two authorization issues in the chat direct message API. First, when creating a direct message channel or adding users to an existing one, the targetgroups parameter was passed direct...
CVE-2026-33410 Discourse hardens chat DM channel creation and expansion
Discourse is an open-source discussion platform. Versions prior to 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 have two authorization issues in the chat direct message API. First, when creating a direct message channel or adding users to an existing one, the targetgroups parameter was passed direct...
CVE-2026-33410 Discourse hardens chat DM channel creation and expansion
Discourse is an open-source discussion platform. Versions prior to 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 have two authorization issues in the chat direct message API. First, when creating a direct message channel or adding users to an existing one, the targetgroups parameter was passed direct...
EUVD-2026-13021
OpenClaw versions prior to 2026.2.26 contain an authorization bypass vulnerability where Signal group allowlist policy incorrectly accepts sender identities from DM pairing-store approvals. Attackers can exploit this boundary weakness by obtaining DM pairing approval to bypass group allowlist...
PT-2026-26427
Name of the Vulnerable Software and Affected Versions Discourse versions prior to 2026.3.0-latest.1 Discourse versions prior to 2026.2.1 Discourse versions prior to 2026.1.2 Description Discourse, an open-source discussion platform, has authorization issues within its chat direct message API...