8 matches found
auth: Patreon provider assigns the same local user ID to every authenticated Patreon account, enabling cross‑user impersonation
Summary The Patreon OAuth provider maps every authenticated Patreon account to the same local user.ID, instead of deriving a unique ID from the Patreon account returned by Patreon. In practice, this means all Patreon-authenticated users of an application using this library are collapsed into a...
CVE-2026-32039
OpenClaw versions prior to 2026.2.22 contain an authorization bypass vulnerability in the toolsBySender group policy matching that allows attackers to inherit elevated tool permissions through identifier collision attacks. Attackers can exploit untyped sender keys by forcing collisions with mutab...
CVE-2026-32039 OpenClaw < 2026.2.22 - Sender Authorization Bypass via Identity Collision in toolsBySender
OpenClaw versions prior to 2026.2.22 contain an authorization bypass vulnerability in the toolsBySender group policy matching that allows attackers to inherit elevated tool permissions through identifier collision attacks. Attackers can exploit untyped sender keys by forcing collisions with mutab...
CVE-2026-32039 OpenClaw < 2026.2.22 - Sender Authorization Bypass via Identity Collision in toolsBySender
OpenClaw versions prior to 2026.2.22 contain an authorization bypass vulnerability in the toolsBySender group policy matching that allows attackers to inherit elevated tool permissions through identifier collision attacks. Attackers can exploit untyped sender keys by forcing collisions with mutab...
GHSA-WPPH-CJGR-7C39 OpenClaw's typed sender-key matching for toolsBySender prevents identity-collision policy bypass
Summary channels..groups..toolsBySender could match a privileged sender policy using a colliding mutable identity value for example senderName or senderUsername when deployments used untyped keys. The fix introduces explicit typed sender keys id:, e164:, username:, name:, keeps legacy untyped key...
OpenClaw's typed sender-key matching for toolsBySender prevents identity-collision policy bypass
Summary channels..groups..toolsBySender could match a privileged sender policy using a colliding mutable identity value for example senderName or senderUsername when deployments used untyped keys. The fix introduces explicit typed sender keys id:, e164:, username:, name:, keeps legacy untyped key...
PT-2026-26420
Summary channels..groups..toolsBySender could match a privileged sender policy using a colliding mutable identity value for example senderName or senderUsername when deployments used untyped keys. The fix introduces explicit typed sender keys id:, e164:, username:, name:, keeps legacy untyped key...
Devolutions Server 安全漏洞
Devolutions Server is an application from Devolutions Canada. provides a full-featured shared account and password management solution. A security vulnerability exists in Devolutions Server version 2022.3.13 and prior versions that originates from a privilege bypass when importing or synchronizin...