EUVD-2026-21430

OpenClaw before 2026.3.24 contains an authorization bypass vulnerability in the HTTP /v1/models endpoint that fails to enforce operator read scope requirements. Attackers with only operator.approvals scope can enumerate gateway model metadata through the HTTP compatibility route, bypassing the...

CVE-2026-35619 OpenClaw < 2026.3.24 - Authorization Bypass via HTTP /v1/models Endpoint

OpenClaw before 2026.3.24 contains an authorization bypass vulnerability in the HTTP /v1/models endpoint that fails to enforce operator read scope requirements. Attackers with only operator.approvals scope can enumerate gateway model metadata through the HTTP compatibility route, bypassing the...

EUVD-2026-21420

Vikunja has Broken Access Control on Label Read via SQL Operator Precedence Bug...

Vikunja has Broken Access Control on Label Read via SQL Operator Precedence Bug

Summary The hasAccessToLabel function contains a SQL operator precedence bug that allows any authenticated user to read any label that has at least one task association, regardless of project access. Label titles, descriptions, colors, and creator information are exposed. Details The access contr...

GHSA-HJ5C-MHH2-G7JQ Vikunja has Broken Access Control on Label Read via SQL Operator Precedence Bug

Summary The hasAccessToLabel function contains a SQL operator precedence bug that allows any authenticated user to read any label that has at least one task association, regardless of project access. Label titles, descriptions, colors, and creator information are exposed. Details The access contr...

Incorrect Authorization

Overview Affected versions of this package are vulnerable to Incorrect Authorization due to improper SQL operator precedence in the hasAccessToLabel function. An attacker can access label metadata, including titles, descriptions, colors, and creator information from projects they do not have acce...

Incorrect Authorization

Overview Affected versions of this package are vulnerable to Incorrect Authorization due to improper SQL operator precedence in the hasAccessToLabel function. An attacker can access label metadata, including titles, descriptions, colors, and creator information from projects they do not have acce...

GHSA-H27X-RFFW-24P4 vulnerabilities

Vulnerabilities for packages: logstash, ruby3.3-fluentd-kubernetes-daemonset, ruby3.2-fluentd-kubernetes-daemonset, cinc-auditor, ruby4.0-fluentd-kubernetes-daemonset, kube-logging-operator, ruby3.4-fluentd-kubernetes-daemonset...

CVE-2026-35611 vulnerabilities

Vulnerabilities for packages: logstash, ruby3.3-fluentd-kubernetes-daemonset, ruby3.2-fluentd-kubernetes-daemonset, cinc-auditor, ruby4.0-fluentd-kubernetes-daemonset, kube-logging-operator, ruby3.4-fluentd-kubernetes-daemonset...

GHSA-H27X-RFFW-24P4 vulnerabilities

Vulnerabilities for packages: logstash, cinc-auditor, ruby4.0-fluentd-kubernetes-daemonset, ruby3.4-fluentd-kubernetes-daemonset, ruby3.3-fluentd-kubernetes-daemonset, ruby3.2-fluentd-kubernetes-daemonset, kube-logging-operator...

CVE-2026-35611 vulnerabilities

Vulnerabilities for packages: logstash, cinc-auditor, ruby4.0-fluentd-kubernetes-daemonset, ruby3.4-fluentd-kubernetes-daemonset, ruby3.3-fluentd-kubernetes-daemonset, ruby3.2-fluentd-kubernetes-daemonset, kube-logging-operator...

CLEANSTART-2026-OC72960 attacker can pass a malicious malformed token which causes unexpected memory to be consumed during parsing

Multiple security vulnerabilities affect the gpu-operator-fips package. An attacker can pass a malicious malformed token which causes unexpected memory to be consumed during parsing. See references for individual vulnerability details...

CLEANSTART-2026-JM69747 Security fixes for ghsa-f6x5-jh6r-wrfv, ghsa-j5w8-q4qc-rx2x applied in versions: 25.10.0-r1

Multiple security vulnerabilities affect the gpu-operator-fips package. These issues are resolved in later releases. See references for individual vulnerability details...

CLEANSTART-2026-AV56399 Security fixes for ghsa-f6x5-jh6r-wrfv, ghsa-j5w8-q4qc-rx2x applied in versions: 25.10.0-r1

Multiple security vulnerabilities affect the gpu-operator-fips package. These issues are resolved in later releases. See references for individual vulnerability details...

CLEANSTART-2026-KL76732 attacker can pass a malicious malformed token which causes unexpected memory to be consumed during parsing

Multiple security vulnerabilities affect the gpu-operator package. An attacker can pass a malicious malformed token which causes unexpected memory to be consumed during parsing. See references for individual vulnerability details...

CLEANSTART-2026-TW35447 Security fixes for ghsa-f6x5-jh6r-wrfv, ghsa-j5w8-q4qc-rx2x applied in versions: 25.10.0-r1

Multiple security vulnerabilities affect the gpu-operator package. These issues are resolved in later releases. See references for individual vulnerability details...

CLEANSTART-2026-RL67763 Security fixes for ghsa-f6x5-jh6r-wrfv, ghsa-j5w8-q4qc-rx2x applied in versions: 25.10.0-r1

Multiple security vulnerabilities affect the gpu-operator package. These issues are resolved in later releases. See references for individual vulnerability details...

CLEANSTART-2026-RA52239 url

Multiple security vulnerabilities affect the prometheus-operator package. url. See references for individual vulnerability details...

EUVD-2026-21134

OpenClaw before 2026.3.22 contains a privilege escalation vulnerability in the device.pair.approve method that allows an operator.pairing approver to approve pending device requests with broader operator scopes than the approver actually holds. Attackers can exploit insufficient scope validation ...

EUVD-2026-21141

OpenClaw before 2026.3.22 contains an information disclosure vulnerability that allows attackers with operator.read scope to expose credentials embedded in channel baseUrl and httpUrl fields. Attackers can access gateway snapshots via config.get and channels.status endpoints to retrieve sensitive...