Lucene search
+L

5 matches found

Github Security Blog
Github Security Blog
added 2026/04/10 12:30 a.m.11 views

Duplicate Advisory: OpenClaw Bypasses DM Policy Separation via Synology Chat Webhook Path Collision

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-rqp8-q22p-5j9q This link is maintained to preserve external references. Original Description OpenClaw before 2026.3.22 contains a webhook path route replacement vulnerability in the Synology Chat extension that...

6.5CVSS5.8AI score0.00245EPSS
Exploits0References6Affected Software1
Snyk
Snyk
added 2026/03/26 9:45 p.m.5 views

Improper Authorization

Overview @openclaw/synology-chat is a Synology Chat channel plugin for OpenClaw Affected versions of this package are vulnerable to Improper Authorization in the webhook process. An attacker can gain unauthorized access to direct message policies by exploiting a path collision in the multi-accoun...

7.2CVSS5.9AI score0.00245EPSS
Exploits0References2
Snyk
Snyk
added 2026/03/26 9:45 p.m.8 views

Improper Authorization

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Improper Authorization in the webhook process. An attacker can gain unauthorized access to direct message policies by exploiting a path collision in the multi-account configuration,...

7.2CVSS5.9AI score0.00245EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/03/21 12:42 a.m.26 views

CVE-2026-32899 OpenClaw < 2026.2.25 - Sender Policy Bypass in Slack Reaction and Pin Event Handlers

OpenClaw versions prior to 2026.2.25 fail to consistently apply sender-policy checks to reaction and pin non-message events before adding them to system-event context. Attackers can bypass configured DM policies and channel user allowlists to inject unauthorized reaction and pin events from...

5.3CVSS0.00204EPSS
Exploits0References4
EUVD
EUVD
added 2026/03/19 10:7 p.m.4 views

EUVD-2026-13304

OpenClaw versions prior to 2026.2.25 fail to enforce dmPolicy and allowFrom authorization checks on Discord direct-message reaction notifications, allowing non-allowlisted users to enqueue reaction-derived system events. Attackers can exploit this inconsistency by reacting to bot-authored DM...

6.3CVSS5.8AI score0.00198EPSS
Exploits0References3
Rows per page
Query Builder