Lucene search
K

267 matches found

Vulnrichment
Vulnrichment
added 2026/04/09 9:26 p.m.3 views

CVE-2026-35627 OpenClaw < 2026.3.22 - Unauthenticated Cryptographic Work in Nostr Inbound DM Handling

OpenClaw before 2026.3.22 performs cryptographic and dispatch operations on inbound Nostr direct messages before enforcing sender and pairing policy validation. Attackers can trigger unauthorized pre-authentication computation by sending crafted DM messages, enabling denial of service through...

6.9CVSS5.8AI score0.00454EPSS
Exploits0References4
ATTACKERKB
ATTACKERKB
added 2026/04/09 9:26 p.m.2 views

CVE-2026-35627

OpenClaw before 2026.3.22 performs cryptographic and dispatch operations on inbound Nostr direct messages before enforcing sender and pairing policy validation. Attackers can trigger unauthorized pre-authentication computation by sending crafted DM messages, enabling denial of service through...

6.9CVSS5.9AI score0.00454EPSS
Exploits0References5
EUVD
EUVD
added 2026/04/09 12:32 a.m.6 views

EUVD-2026-20756

OpenClaw has Signal group allowlist authorization bypass via DM pairing-store leakage...

9.8CVSS5.9AI score0.00571EPSS
Exploits0References30
CNNVD
CNNVD
added 2026/04/09 12:0 a.m.7 views

OpenClaw 安全漏洞

OpenClaw is an open-source intelligent artificial assistant developed by OpenClaw. Versions of OpenClaw prior to 2026.3.22 contained security vulnerabilities. These vulnerabilities were caused by a problem with the Webhook path routing in the Synology Chat extension, which could lead to bypassing...

6.5CVSS5.8AI score0.00245EPSS
Exploits0References4
Snyk
Snyk
added 2026/04/03 3:26 a.m.4 views

Incorrect Authorization

Overview @openclaw/discord is an OpenClaw Discord channel plugin Affected versions of this package are vulnerable to Incorrect Authorization in the process that handles Discord component interactions, which incorrectly classifies Group Direct Messages as standard Direct Messages. An attacker can...

5.4CVSS5.8AI score0.00125EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/03 3:26 a.m.6 views

Incorrect Authorization

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Incorrect Authorization in the process that handles Discord component interactions, which incorrectly classifies Group Direct Messages as standard Direct Messages. An attacker can cause...

5.4CVSS5.9AI score0.00125EPSS
Exploits0References2
OSV
OSV
added 2026/04/03 3:26 a.m.7 views

GHSA-6336-QQW9-V6X6 OpenClaw: Discord Component Interaction Misclassifies Group DM as Direct Message

Summary Discord Component Interaction Misclassifies Group DM as Direct Message Current Maintainer Triage - Status: narrow - Normalized severity: low - Assessment: Real on shipped v2026.3.24 component-interaction routing/auth in extensions/discord/src/monitor/agent-components-helpers.ts, but impac...

5.4CVSS5.9AI score0.00125EPSS
Exploits0References6
Github Security Blog
Github Security Blog
added 2026/04/03 3:26 a.m.5 views

OpenClaw: Discord Component Interaction Misclassifies Group DM as Direct Message

Summary Discord Component Interaction Misclassifies Group DM as Direct Message Current Maintainer Triage - Status: narrow - Normalized severity: low - Assessment: Real on shipped v2026.3.24 component-interaction routing/auth in extensions/discord/src/monitor/agent-components-helpers.ts, but impac...

5.4CVSS5.9AI score0.00125EPSS
Exploits0References6Affected Software1
Snyk
Snyk
added 2026/04/03 3:23 a.m.4 views

Incorrect Authorization

Overview @openclaw/discord is an OpenClaw Discord channel plugin Affected versions of this package are vulnerable to Incorrect Authorization in the Discord slash and autocomplete command handling process. An attacker can gain unauthorized access to group DM channels by bypassing the allowlist...

5.4CVSS5.8AI score0.00177EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/03 3:23 a.m.4 views

Incorrect Authorization

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Incorrect Authorization in the Discord slash and autocomplete command handling process. An attacker can gain unauthorized access to group DM channels by bypassing the allowlist restrictio...

5.4CVSS5.9AI score0.00177EPSS
Exploits0References2
OSV
OSV
added 2026/03/29 3:50 p.m.2 views

GHSA-J4C9-W69R-CW33 OpenClaw: Telegram DM-Scoped Inline Button Callbacks Bypass DM Pairing and Mutate Session State

Summary Telegram DM-Scoped Inline Button Callbacks Bypass DM Pairing and Mutate Session State Affected Packages / Versions - Package: openclaw - Affected versions: = 2026.3.24 - First patched version: 2026.3.25 - Latest published npm version at verification time: 2026.3.24 Details Telegram callba...

6.9CVSS5.9AI score0.00285EPSS
Exploits0References5
Github Security Blog
Github Security Blog
added 2026/03/29 3:50 p.m.6 views

OpenClaw: Telegram DM-Scoped Inline Button Callbacks Bypass DM Pairing and Mutate Session State

Summary Telegram DM-Scoped Inline Button Callbacks Bypass DM Pairing and Mutate Session State Affected Packages / Versions - Package: openclaw - Affected versions: = 2026.3.24 - First patched version: 2026.3.25 - Latest published npm version at verification time: 2026.3.24 Details Telegram callba...

6.9CVSS5.9AI score0.00285EPSS
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/27 10:31 p.m.13 views

OpenClaw: Matrix Verification Notices Bypass Matrix DM Policy and Reply to Unpaired DM Peers

Summary Matrix Verification Notices Bypass Matrix DM Policy and Reply to Unpaired DM Peers Affected Packages / Versions - Package: openclaw - Affected versions: = 2026.3.24 - First patched version: 2026.3.25 - Latest published npm version at verification time: 2026.3.24 Details Matrix verificatio...

6.9CVSS5.9AI score0.00285EPSS
Exploits0References3Affected Software1
EUVD
EUVD
added 2026/03/27 12:32 p.m.4 views

EUVD-2026-16593

A user with permission "update world" in any Venueless world is able to exfiltrate chat messages from direct messages or channels in other worlds on the same server due to a bug in the reporting feature. The exploitability is limited by the fact that the attacker needs to know the internal channe...

7.3CVSS5.9AI score0.00247EPSS
Exploits0References1
OSV
OSV
added 2026/03/27 7:11 a.m.5 views

BIT-DISCOURSE-2026-33410 Discourse hardens chat DM channel creation and expansion

Discourse is an open-source discussion platform. Versions prior to 2026.3.0, 2026.2.1, and 2026.1.2 have two authorization issues in the chat direct message API. First, when creating a direct message channel or adding users to an existing one, the targetgroups parameter was passed directly to the...

5.4CVSS5.9AI score0.00156EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/03/27 12:0 a.m.4 views

PT-2026-28703

Name of the Vulnerable Software and Affected Versions Venueless affected versions not specified Description A user possessing the "update world" permission within any Venueless world can potentially extract chat messages from direct messages or channels in other worlds on the same server. This is...

7.3CVSS5.9AI score0.00247EPSS
Exploits0References3
RedhatCVE
RedhatCVE
added 2026/03/26 3:16 p.m.5 views

CVE-2026-31991

OpenClaw versions prior to 2026.2.26 contain an authorization bypass vulnerability where Signal group allowlist policy incorrectly accepts sender identities from DM pairing-store approvals. Attackers can exploit this boundary weakness by obtaining DM pairing approval to bypass group allowlist...

4.6CVSS5.8AI score0.00152EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/03/26 3:11 p.m.4 views

CVE-2026-32028

OpenClaw versions prior to 2026.2.25 fail to enforce dmPolicy and allowFrom authorization checks on Discord direct-message reaction notifications, allowing non-allowlisted users to enqueue reaction-derived system events. Attackers can exploit this inconsistency by reacting to bot-authored DM...

6.3CVSS5.8AI score0.00198EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/03/26 3:9 p.m.4 views

CVE-2026-33410

Discourse is an open-source discussion platform. Versions prior to 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 have two authorization issues in the chat direct message API. First, when creating a direct message channel or adding users to an existing one, the targetgroups parameter was passed direct...

5.4CVSS5.9AI score0.00156EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/03/26 3:6 p.m.4 views

CVE-2026-22170

OpenClaw versions prior to 2026.2.22 with the optional BlueBubbles plugin contain an access control bypass vulnerability where empty allowFrom configuration causes dmPolicy pairing and allowlist restrictions to be ineffective. Remote attackers can send direct messages to BlueBubbles accounts by...

6.5CVSS5.8AI score0.00255EPSS
Exploits0References1
Rows per page
Query Builder