9 matches found
CVE-2026-35648
OpenClaw (npm) before 2026.3.22 contains a policy bypass where queued node actions are not revalidated against the current command policy at delivery time. Attackers could abuse stale allowlists or declarations that survive policy tightening to execute unauthorized commands. The root cause is lac...
EUVD-2026-18213
A flaw was found in Keycloak. An authenticated user with the umaprotection role can bypass User-Managed Access UMA policy validation. This allows the attacker to include resource identifiers owned by other users in a policy creation request, even if the URL path specifies an attacker-owned...
GHSA-F2HX-5FX3-HMCV Keycloak: UMA Policy Resource Injection Allows Unauthorized Cross-User Permission Grants
A flaw was found in Keycloak. An authenticated user with the umaprotection role can bypass User-Managed Access UMA policy validation. This allows the attacker to include resource identifiers owned by other users in a policy creation request, even if the URL path specifies an attacker-owned...
CVE-2026-4636
A flaw was found in Keycloak. An authenticated user with the umaprotection role can bypass User-Managed Access UMA policy validation. This allows the attacker to include resource identifiers owned by other users in a policy creation request, even if the URL path specifies an attacker-owned...
PT-2026-29732
Name of the Vulnerable Software and Affected Versions Keycloak affected versions not specified Description A flaw exists in Keycloak where an authenticated user possessing the uma protection role can circumvent User-Managed Access UMA policy validation. This allows an attacker to include resource...
Important: amazon-ssm-agent
Issue Overview: Calling Verify with a VerifyOptions.KeyUsages that contains ExtKeyUsageAny unintentionally disabledpolicy validation. This only affected certificate chains which contain policy graphs, which are rather uncommon. CVE-2025-22874 Proxy-Authorization and Proxy-Authenticate headers...
Amazon Linux 2023 : amazon-ecr-credential-helper (ALAS2023-2025-1214)
It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2025-1214 advisory. Calling Verify with a VerifyOptions.KeyUsages that contains ExtKeyUsageAny unintentionally disabledpolicy validation. This only affected certificate chains which contain policy graphs, which a...
crypto/x509: Usage of ExtKeyUsageAny disables policy validation in crypto/x509
A flaw was found in Go's crypto/x509 package. This vulnerability allows improper certificate validation, bypassing policy constraints via using ExtKeyUsageAny in VerifyOptions.KeyUsages...
CVE-2019-5779
Insufficient policy validation in ServiceWorker in Google Chrome prior to 72.0.3626.81 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page...