Lucene search
K

27 matches found

Debian CVE
Debian CVE
added 2026/06/23 5:52 p.m.7 views

CVE-2026-52845

Caddy is an extensible server platform that uses TLS by default. Prior to 2.11.4, forwardauth copyheaders deletes the exact client-supplied identity header before copying the trusted value from the auth gateway. But when the request later goes through phpfastcgi, Caddy normalizes HTTP headers int...

8.1CVSS5.9AI score0.00246EPSS
Exploits1
NVD
NVD
added 2026/06/19 2:16 p.m.14 views

CVE-2026-44087

Insufficient Verification of Data Authenticity vulnerability in Apache APISIX. The openid-connect plugin under default configuration has an attack surface that allows the attacker to spoof identity headers allowing the attacker to get unauthorized access the protected resources. This issue affect...

9.1CVSS0.00213EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/06/19 1:11 p.m.31 views

CVE-2026-44087 Apache APISIX: Openid-connect plugin Identity Header Spoofing

Insufficient Verification of Data Authenticity vulnerability in Apache APISIX. The openid-connect plugin under default configuration has an attack surface that allows the attacker to spoof identity headers allowing the attacker to get unauthorized access the protected resources. This issue affect...

5.3CVSS0.00213EPSS
Exploits0References1
EUVD
EUVD
added 2026/06/13 12:34 a.m.15 views

EUVD-2026-36620

OpenClaw before 2026.5.18 contains an identity header validation vulnerability allowing local same-host callers to forge trusted-proxy identity headers. Attackers with access to the proxy-facing Gateway port can supply forged identity headers to assume operator identity and potentially escalate...

7.7CVSS5.2AI score0.00102EPSS
Exploits0References3
CVE
CVE
added 2026/06/12 9:56 p.m.18 views

CVE-2026-53832

CVE-2026-53832 affects OpenClaw prior to 2026.5.18. The issue is an identity header validation flaw that lets local, same-host callers forge trusted-proxy identity headers, enabling them to assume operator identity and potentially escalate privileges when they have access to the proxy-facing Gate...

7.7CVSS5.3AI score0.00102EPSS
Exploits0References2Affected Software1
Cvelist
Cvelist
added 2026/06/12 9:56 p.m.28 views

CVE-2026-53832 OpenClaw < 2026.5.18 - Identity Header Forgery via Trusted-Proxy Configuration

OpenClaw before 2026.5.18 contains an identity header validation vulnerability allowing local same-host callers to forge trusted-proxy identity headers. Attackers with access to the proxy-facing Gateway port can supply forged identity headers to assume operator identity and potentially escalate...

7.7CVSS0.00102EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/06/12 12:0 a.m.13 views

PT-2026-49036

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.5.18 Description An identity header validation issue allows local same-host callers to forge trusted-proxy identity headers. Attackers with access to the proxy-facing Gateway port can supply these forged headers...

7.7CVSS5.2AI score0.00102EPSS
Exploits0References8
EUVD
EUVD
added 2026/05/26 6:23 p.m.14 views

EUVD-2026-31953

code100x contains an authentication bypass vulnerability in the Mobile API that allows unauthenticated attackers to impersonate arbitrary users by supplying a crafted JSON payload in the 'g' HTTP header. The middleware in middleware.ts skips identity header generation when an Auth-Key header is...

8.8CVSS5.9AI score0.0049EPSS
Exploits0References5
CVE
CVE
added 2026/05/26 6:23 p.m.34 views

CVE-2026-8890

The CVE-2026-8890 entry affects code100x Mobile API. The vulnerability is an authentication bypass in the Mobile API’s middleware.ts: when an Auth-Key header is present but not validated, an attacker can inject a crafted JSON payload in the g header, spoofing a user identity that downstream handl...

8.8CVSS5.9AI score0.0049EPSS
Exploits0References5
Cvelist
Cvelist
added 2026/05/26 6:23 p.m.38 views

CVE-2026-8890 code100x Mobile API Authentication Bypass via Header Spoofing

code100x contains an authentication bypass vulnerability in the Mobile API that allows unauthenticated attackers to impersonate arbitrary users by supplying a crafted JSON payload in the 'g' HTTP header. The middleware in middleware.ts skips identity header generation when an Auth-Key header is...

8.8CVSS0.0049EPSS
Exploits0References5
OSV
OSV
added 2026/03/26 8:33 p.m.4 views

GO-2026-4830 NATS: Leafnode connections allow spoofing of Nats-Request-Info identity headers in github.com/nats-io/nats-server

NATS: Leafnode connections allow spoofing of Nats-Request-Info identity headers in github.com/nats-io/nats-server...

6.4CVSS5.8AI score0.00143EPSS
Exploits0References2
Tenable Nessus
Tenable Nessus
added 2025/08/20 12:0 a.m.3 views

Linux Distros Unpatched Vulnerability : CVE-2022-26499

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - An SSRF issue was discovered in Asterisk through 19.x. When using STIR/SHAKEN, it's possible to send arbitrary requests such as GET to interfaces such as...

9.1CVSS8.2AI score0.0768EPSS
Exploits0References2
Tenable Nessus
Tenable Nessus
added 2025/08/20 12:0 a.m.5 views

Linux Distros Unpatched Vulnerability : CVE-2025-49832

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Asterisk is an open source private branch exchange and telephony toolkit. In versions up to and including 18.26.2, between 20.00.0 and 20.15.0, 20.7-cert6,...

6.5CVSS5.5AI score0.00446EPSS
Exploits1References2
OSV
OSV
added 2025/08/01 6:15 p.m.2 views

UBUNTU-CVE-2025-49832

Asterisk is an open source private branch exchange and telephony toolkit. In versions up to and including 18.26.2, between 20.00.0 and 20.15.0, 20.7-cert6, 21.00.0, 22.00.0 through 22.5.0, there is a remote DoS and possible RCE condition in asterisk/res/resstirshaken /verification.c that can be...

6.5CVSS5.9AI score0.00446EPSS
Exploits1References3
Debian CVE
Debian CVE
added 2025/08/01 5:57 p.m.6 views

CVE-2025-49832

Asterisk is an open source private branch exchange and telephony toolkit. In versions up to and including 18.26.2, between 20.00.0 and 20.15.0, 20.7-cert6, 21.00.0, 22.00.0 through 22.5.0, there is a remote DoS and possible RCE condition in asterisk/res/resstirshaken /verification.c that can be...

6.5CVSS5.6AI score0.00446EPSS
Exploits1
AlpineLinux
AlpineLinux
added 2025/08/01 5:57 p.m.7 views

CVE-2025-49832

Asterisk is an open source private branch exchange and telephony toolkit. In versions up to and including 18.26.2, between 20.00.0 and 20.15.0, 20.7-cert6, 21.00.0, 22.00.0 through 22.5.0, there is a remote DoS and possible RCE condition in asterisk/res/resstirshaken /verification.c that can be...

6.5CVSS7.2AI score0.00446EPSS
Exploits1References1
NVD
NVD
added 2022/04/15 5:15 a.m.21 views

CVE-2022-26499

An SSRF issue was discovered in Asterisk through 19.x. When using STIR/SHAKEN, it's possible to send arbitrary requests such as GET to interfaces such as localhost by using the Identity header. This is fixed in 16.25.2, 18.11.2, and 19.3.2...

9.1CVSS0.0768EPSS
Exploits0References5
OSV
OSV
added 2022/04/15 5:15 a.m.2 views

ALPINE-CVE-2022-26499

An SSRF issue was discovered in Asterisk through 19.x. When using STIR/SHAKEN, it's possible to send arbitrary requests such as GET to interfaces such as localhost by using the Identity header. This is fixed in 16.25.2, 18.11.2, and 19.3.2...

9.1CVSS7AI score0.0768EPSS
Exploits0References1
OSV
OSV
added 2022/04/15 5:15 a.m.45 views

CVE-2022-26499

An SSRF issue was discovered in Asterisk through 19.x. When using STIR/SHAKEN, it's possible to send arbitrary requests such as GET to interfaces such as localhost by using the Identity header. This is fixed in 16.25.2, 18.11.2, and 19.3.2...

9.1CVSS1.6AI score
Exploits0References5
OSV
OSV
added 2022/04/15 5:15 a.m.2 views

UBUNTU-CVE-2022-26499

An SSRF issue was discovered in Asterisk through 19.x. When using STIR/SHAKEN, it's possible to send arbitrary requests such as GET to interfaces such as localhost by using the Identity header. This is fixed in 16.25.2, 18.11.2, and 19.3.2...

9.1CVSS5.9AI score0.0768EPSS
Exploits0References6
Rows per page
Query Builder