Lucene search
K

7 matches found

Cvelist
Cvelist
added 5 days ago31 views

CVE-2026-55671 ZITADEL: Server-Side Request Forgery (SSRF) and Denylist Bypass in Outgoing HTTP Components

ZITADEL is an open source identity management platform. From 4.0.0-rc.1 through 4.15.1, ZITADEL's HTTP notification channels, OIDC BackChannel Logout, and SAML metadata URL fetches do not consistently validate user-defined URLs against protected denylist handling, allowing server-side requests to...

2.3CVSS0.00252EPSS
Exploits0References3
OSV
OSV
added 2026/06/12 9:56 p.m.7 views

CVE-2026-53827 OpenClaw < 2026.5.2 - Credential Exposure via Model-Supplied Loopback URLs in message.action Forwarding

OpenClaw before 2026.5.2 contains a credential exposure vulnerability in message.action forwarding that allows model-controlled metadata to forward action payloads with Gateway credentials to attacker-supplied loopback URLs. Remote attackers can intercept Gateway tokens and action payloads by...

6CVSS6AI score0.00254EPSS
Exploits0References5
CVE
CVE
added 2026/02/19 9:34 p.m.21 views

CVE-2026-26317

OpenClaw (personal AI assistant) exposes loopback browser mutation endpoints that accept cross-origin requests prior to 2026.2.14, enabling cross‑site request forgery (CSRF) to trigger unauthorized state changes in the victim’s local browser control plane. Starting with 2026.2.14, mutating HTTP m...

7.1CVSS5.6AI score0.0014EPSS
Exploits0References3Affected Software1
OSV
OSV
added 2026/02/19 9:34 p.m.6 views

CVE-2026-26317 OpenClaw affected by cross-site request forgery (CSRF) through loopback browser mutation endpoints

OpenClaw is a personal AI assistant. Prior to 2026.2.14, browser-facing localhost mutation routes accepted cross-origin browser requests without explicit Origin/Referer validation. Loopback binding reduces remote exposure but does not prevent browser-initiated requests from malicious origins. A...

7.1CVSS5.7AI score0.0014EPSS
Exploits0References5
OSV
OSV
added 2026/02/18 12:53 a.m.5 views

GHSA-3FQR-4CG8-H96Q OpenClaw affected by cross-site request forgery (CSRF) through loopback browser mutation endpoints

Summary Browser-facing localhost mutation routes accepted cross-origin browser requests without explicit Origin/Referer validation. Loopback binding reduces remote exposure but does not prevent browser-initiated requests from malicious origins. Impact A malicious website can trigger unauthorized...

7.1CVSS5.7AI score0.0014EPSS
Exploits0References5
Snyk
Snyk
added 2026/02/18 12:53 a.m.6 views

Cross-site Request Forgery (CSRF)

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Cross-site Request Forgery CSRF via the mutation endpoints exposed on loopback addresses without proper Origin or Referer validation. An attacker can cause unauthorized state changes, suc...

7.1CVSS5.7AI score0.0014EPSS
Exploits0References2
Github Security Blog
Github Security Blog
added 2026/02/18 12:53 a.m.11 views

OpenClaw affected by cross-site request forgery (CSRF) through loopback browser mutation endpoints

Summary Browser-facing localhost mutation routes accepted cross-origin browser requests without explicit Origin/Referer validation. Loopback binding reduces remote exposure but does not prevent browser-initiated requests from malicious origins. Impact A malicious website can trigger unauthorized...

7.1CVSS5.6AI score0.0014EPSS
Exploits0References5Affected Software2
Rows per page
Query Builder