Lucene search
K

142 matches found

EUVD
EUVD
added 2026/03/05 9:59 p.m.6 views

EUVD-2026-9892

OpenClaw versions prior to 2026.2.14 contain a privilege escalation vulnerability in the Slack slash-command handler that incorrectly authorizes any direct message sender when dmPolicy is set to open must be configured. Attackers can execute privileged slash commands via direct message to bypass...

9.8CVSS6AI score0.00347EPSS
Exploits0References3
CNNVD
CNNVD
added 2026/03/05 12:0 a.m.8 views

OpenClaw 安全漏洞

OpenClaw is an open-source intelligent artificial assistant. Versions of OpenClaw prior to 2026.2.2 contained security vulnerabilities. These vulnerabilities stemmed from the ability to bypass the DM permission list matching in the Matrix plugin, allowing remote Matrix users to impersonate...

6.3CVSS5.8AI score0.00231EPSS
Exploits0References3
Snyk
Snyk
added 2026/03/04 6:56 p.m.8 views

Incorrect Authorization

Overview @openclaw/matrix is an OpenClaw Matrix channel plugin Affected versions of this package are vulnerable to Incorrect Authorization through improper access control in the pairing store process. An attacker can gain unauthorized access to another account's direct message pairing by leveragi...

8.1CVSS5.8AI score0.00165EPSS
Exploits0References2
Snyk
Snyk
added 2026/03/04 6:56 p.m.4 views

Incorrect Authorization

Overview @openclaw/feishu is an OpenClaw Feishu/Lark channel plugin community maintained by @m1heng Affected versions of this package are vulnerable to Incorrect Authorization through improper access control in the pairing store process. An attacker can gain unauthorized access to another account...

8.1CVSS5.8AI score0.00165EPSS
Exploits0References2
Snyk
Snyk
added 2026/03/04 6:56 p.m.4 views

Incorrect Authorization

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Incorrect Authorization through improper access control in the pairing store process. An attacker can gain unauthorized access to another account's direct message pairing by leveraging...

8.1CVSS5.8AI score0.00165EPSS
Exploits0References2
Snyk
Snyk
added 2026/03/04 6:56 p.m.3 views

Incorrect Authorization

Overview @openclaw/bluebubbles is an OpenClaw BlueBubbles channel plugin Affected versions of this package are vulnerable to Incorrect Authorization through improper access control in the pairing store process. An attacker can gain unauthorized access to another account's direct message pairing b...

8.1CVSS5.8AI score0.00165EPSS
Exploits0References2
Snyk
Snyk
added 2026/03/04 6:56 p.m.4 views

Incorrect Authorization

Overview @openclaw/zalouser is an OpenClaw Zalo Personal Account plugin via native zca-js integration Affected versions of this package are vulnerable to Incorrect Authorization through improper access control in the pairing store process. An attacker can gain unauthorized access to another...

8.1CVSS5.8AI score0.00165EPSS
Exploits0References2
Snyk
Snyk
added 2026/03/04 6:56 p.m.4 views

Incorrect Authorization

Overview @openclaw/zalo is an OpenClaw Zalo channel plugin Affected versions of this package are vulnerable to Incorrect Authorization through improper access control in the pairing store process. An attacker can gain unauthorized access to another account's direct message pairing by leveraging...

8.1CVSS5.8AI score0.00165EPSS
Exploits0References2
OSV
OSV
added 2026/03/03 9:25 p.m.3 views

GHSA-354R-7MFH-7RH2 OpenClaw: Discord DM reaction ingress missed dmPolicy/allowFrom checks in restricted setups

Summary In OpenClaw = 2026.2.25 Fix Commits - aedf62ac7e669a89c7b299201bf6537dc6b12e0e Release Process Note patchedversions is pre-set to the release 2026.2.25 so after npm release the advisory is published. Thanks @tdjackey for reporting...

5.3CVSS6AI score0.00198EPSS
Exploits0References5
Github Security Blog
Github Security Blog
added 2026/03/03 9:25 p.m.7 views

OpenClaw: Discord DM reaction ingress missed dmPolicy/allowFrom checks in restricted setups

Summary In OpenClaw = 2026.2.25 Fix Commits - aedf62ac7e669a89c7b299201bf6537dc6b12e0e Release Process Note patchedversions is pre-set to the release 2026.2.25 so after npm release the advisory is published. Thanks @tdjackey for reporting...

6.3CVSS6AI score0.00198EPSS
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/03 7:17 p.m.9 views

OpenClaw DM pairing-store identities could satisfy group allowlist authorization

Summary DM pairing-store identities were incorrectly eligible for group allowlist authorization checks, enabling cross-context authorization in group message paths. Details In affected versions, group allowlist evaluation could inherit identities from the DM pairing store. A sender approved via D...

7.1CVSS5.9AI score0.00238EPSS
Exploits0References6Affected Software1
OSV
OSV
added 2026/03/03 1:29 p.m.4 views

BIT-DISCOURSE-2026-27152 DIscourse has DM communication-preference bypass when adding members

Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, DM communication-preference bypass when adding members via Chat::AddUsersToChannel — a user could add targets who have blocked/ignored/muted them to an existing DM channel, bypassing per-recipien...

5.3CVSS6AI score0.00158EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/03/03 12:0 a.m.8 views

PT-2026-26408

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.2.26 Description OpenClaw is affected by an authorization bypass issue where DM pairing-store identities are incorrectly eligible for group allowlist authorization checks. This cross-context authorization flaw...

7.1CVSS5.8AI score0.00238EPSS
Exploits0References9
OSV
OSV
added 2026/03/02 10:14 p.m.3 views

GHSA-WM8R-W8PF-2V6W OpenClaw has Signal group allowlist authorization bypass via DM pairing-store leakage

Summary In OpenClaw 2026.2.25, Signal group authorization under groupPolicy=allowlist could accept sender identities sourced from DM pairing-store approvals. This allowed DM pairing approvals to leak into group allowlist evaluation. Impact This is an authorization-boundary weakness between DM...

3.7CVSS5.9AI score0.00152EPSS
Exploits0References6
Github Security Blog
Github Security Blog
added 2026/03/02 10:14 p.m.9 views

OpenClaw has Signal group allowlist authorization bypass via DM pairing-store leakage

Summary In OpenClaw 2026.2.25, Signal group authorization under groupPolicy=allowlist could accept sender identities sourced from DM pairing-store approvals. This allowed DM pairing approvals to leak into group allowlist evaluation. Impact This is an authorization-boundary weakness between DM...

4.6CVSS5.9AI score0.00152EPSS
Exploits0References6Affected Software1
CNVD
CNVD
added 2026/03/02 12:0 a.m.5 views

OpenClaw has an unspecified vulnerability (CNVD-2026-13383)

OpenClaw is openclaw open source an intelligent artificial assistant. OpenClaw has a security vulnerability that stems from the fact that under iMessage groupPolicy=allowlist, the identity of the sender from the DM pairing store can satisfy the group authorization, which can be exploited by an...

6.5CVSS5.8AI score0.00283EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/02/26 8:0 p.m.4 views

CVE-2026-27152 DIscourse has DM communication-preference bypass when adding members

Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, DM communication-preference bypass when adding members via Chat::AddUsersToChannel — a user could add targets who have blocked/ignored/muted them to an existing DM channel, bypassing per-recipien...

5.3CVSS6AI score0.00158EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/02/26 8:0 p.m.24 views

CVE-2026-27152 DIscourse has DM communication-preference bypass when adding members

Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, DM communication-preference bypass when adding members via Chat::AddUsersToChannel — a user could add targets who have blocked/ignored/muted them to an existing DM channel, bypassing per-recipien...

5.3CVSS0.00158EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/02/21 1:30 a.m.6 views

CVE-2026-26328

OpenClaw is a personal AI assistant. Prior to version 2026.2.14, under iMessage groupPolicy=allowlist, group authorization could be satisfied by sender identities coming from the DM pairing store, broadening DM trust into group contexts. Version 2026.2.14 fixes the issue...

6.5CVSS5.5AI score0.00283EPSS
Exploits0References1
CVE
CVE
added 2026/02/19 11:4 p.m.13 views

CVE-2026-26328

OpenClaw is affected by CVE-2026-26328: prior to version 2026.2.14, under iMessage groupPolicy=allowlist, group authorization could be satisfied by sender identities from the DM pairing store, broadening DM trust into group contexts. This is documented across multiple sources, including Red Hat a...

6.5CVSS5.5AI score0.00283EPSS
Exploits0References3Affected Software1
Rows per page
Query Builder