PT-2026-29816

Summary A session management vulnerability allows previously issued authenticated sessions to remain valid after sensitive account security changes, specifically password reset and password change. As a result, an attacker who has already obtained a valid session cookie can retain access to the...

PT-2026-29634

Name of the Vulnerable Software and Affected Versions CI4MS versions prior to 0.31.0.0 Description The application does not immediately revoke active user sessions when an account is deleted. This is due to a logic flaw where account state changes are only enforced during login, not for existing...

GHSA-2PR2-HCV6-7GWV OpenClaw's device removal and token revocation do not terminate active WebSocket sessions

Summary Removing a device or revoking its token updated stored credentials but did not disconnect already-authenticated WebSocket sessions. Impact A revoked device could continue using its existing live session until reconnect, extending access beyond credential removal. Affected Component...

OpenClaw's device removal and token revocation do not terminate active WebSocket sessions

Summary Removing a device or revoking its token updated stored credentials but did not disconnect already-authenticated WebSocket sessions. Impact A revoked device could continue using its existing live session until reconnect, extending access beyond credential removal. Affected Component...

Insufficient Session Expiration

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Insufficient Session Expiration through incomplete termination of WebSocket sessions when devices are removed or tokens are revoked. An attacker can retain unauthorized access by...

Duplicate Advisory: OpenClaw's device removal and token revocation do not terminate active WebSocket sessions

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-2pr2-hcv6-7gwv. This link is maintained to preserve external references. Original Description OpenClaw before 2026.3.28 fails to disconnect active WebSocket sessions when devices are removed or tokens are revoke...

GHSA-89HR-6X2P-8XJV Duplicate Advisory: OpenClaw's device removal and token revocation do not terminate active WebSocket sessions

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-2pr2-hcv6-7gwv. This link is maintained to preserve external references. Original Description OpenClaw before 2026.3.28 fails to disconnect active WebSocket sessions when devices are removed or tokens are revoke...

CVE-2026-34503

OpenClaw before 2026.3.28 fails to disconnect active WebSocket sessions when devices are removed or tokens are revoked. Attackers with revoked credentials can maintain unauthorized access through existing live sessions until forced reconnection...

CVE-2026-34503 OpenClaw < 2026.3.28 - Incomplete WebSocket Session Termination on Device Removal and Token Revocation

OpenClaw before 2026.3.28 fails to disconnect active WebSocket sessions when devices are removed or tokens are revoked. Attackers with revoked credentials can maintain unauthorized access through existing live sessions until forced reconnection...

CVE-2026-34503

OpenClaw (vulnerable: before 2026.3.28) fails to terminate active WebSocket sessions when devices are removed or tokens are revoked, enabling persistence of access for revoked credentials through existing live sessions until forced reconnection. This impacts OpenClaw deployments using the affecte...

CVE-2026-34503 OpenClaw < 2026.3.28 - Incomplete WebSocket Session Termination on Device Removal and Token Revocation

OpenClaw before 2026.3.28 fails to disconnect active WebSocket sessions when devices are removed or tokens are revoked. Attackers with revoked credentials can maintain unauthorized access through existing live sessions until forced reconnection...

CVE-2026-34503

OpenClaw before 2026.3.28 fails to disconnect active WebSocket sessions when devices are removed or tokens are revoked. Attackers with revoked credentials can maintain unauthorized access through existing live sessions until forced reconnection...

PT-2026-29265

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.3.28 Description The software does not disconnect active WebSocket sessions when devices are removed or tokens are revoked. This allows attackers with revoked credentials to maintain unauthorized access through...

Improper Verification of Cryptographic Signature

Overview Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature in the OCSP response validation process. An attacker can bypass certificate revocation checks by providing a forged OCSP response, potentially enabling man-in-the-middle attacks...

CVE-2026-32883 Botan: Missing OCSP Response Signature Verification Allows MitM Certificate Revocation Bypass

Botan is a C++ cryptography library. From version 3.0.0 to before version 3.11.0, during X509 path validation, OCSP responses were checked for an appropriate status code, but critically omitted verifying the signature of the OCSP response itself. This issue has been patched in version 3.11.0...

CVE-2026-32883 Botan: Missing OCSP Response Signature Verification Allows MitM Certificate Revocation Bypass

Botan is a C++ cryptography library. From version 3.0.0 to before version 3.11.0, during X509 path validation, OCSP responses were checked for an appropriate status code, but critically omitted verifying the signature of the OCSP response itself. This issue has been patched in version 3.11.0...

CVE-2026-32883 Botan: Missing OCSP Response Signature Verification Allows MitM Certificate Revocation Bypass

Botan is a C++ cryptography library. From version 3.0.0 to before version 3.11.0, during X509 path validation, OCSP responses were checked for an appropriate status code, but critically omitted verifying the signature of the OCSP response itself. This issue has been patched in version 3.11.0...

CVE-2026-32883

CVE-2026-32883 affects the Botan C++ cryptography library. From version 3.0.0 through before 3.11.0, during X509 path validation, OCSP responses were checked for a valid status but the OCSP response signature itself was not verified, enabling a potential Man‑in‑the‑Middle in certificate revocatio...

OPENSUSE-SU-2026:20444-1 Security update for tomcat10

This update for tomcat10 fixes the following issues: Update to Tomcat 10.1.52: - CVE-2025-55752: directory traversal via rewrite with possible RCE if PUT is enabled bsc1252753. - CVE-2025-55754: Improper Neutralization of Escape, Meta, or Control Sequences vulnerability in Apache Tomcat bsc125290...

BIT-DISCOURSE-2026-33424 PM access granted through invites after access revocation

Discourse is an open-source discussion platform. Prior to versions 2026.3.0, 2026.2.1, and 2026.1.2, an attacker can grant access to a private message topic through invites even after they lose access to that PM. Versions 2026.3.0, 2026.2.1, and 2026.1.2 contain a patch. No known workarounds are...