80 matches found
EUVD-2026-17437
OpenClaw before 2026.3.28 contains a privilege escalation vulnerability in the /pair approve command path that fails to forward caller scopes into the core approval check. A caller with pairing privileges but without admin privileges can approve pending device requests asking for broader scopes...
GHSA-F275-5H5C-5WG5 Duplicate Advisory: OpenClaw: /pair approve command path omitted caller scope subsetting and reopened device pairing escalation
Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-hc5h-pmr3-3497. This link is maintained to preserve external references. Original Description OpenClaw before 2026.3.28 contains a privilege escalation vulnerability in the /pair approve command path that fails ...
CVE-2026-33577
OpenClaw before 2026.3.28 contains an insufficient scope validation vulnerability in the node pairing approval path that allows low-privilege operators to approve nodes with broader scopes. Attackers can exploit missing callerScopes validation in node-pairing.ts to extend privileges onto paired...
CVE-2026-33579
OpenClaw before 2026.3.28 contains a privilege escalation vulnerability in the /pair approve command path that fails to forward caller scopes into the core approval check. A caller with pairing privileges but without admin privileges can approve pending device requests asking for broader scopes...
CVE-2026-33579 OpenClaw < 2026.3.28 - Privilege Escalation via Missing Caller Scope Validation in Device Pair Approval
OpenClaw before 2026.3.28 contains a privilege escalation vulnerability in the /pair approve command path that fails to forward caller scopes into the core approval check. A caller with pairing privileges but without admin privileges can approve pending device requests asking for broader scopes...
CVE-2026-33579 OpenClaw < 2026.3.28 - Privilege Escalation via Missing Caller Scope Validation in Device Pair Approval
OpenClaw before 2026.3.28 contains a privilege escalation vulnerability in the /pair approve command path that fails to forward caller scopes into the core approval check. A caller with pairing privileges but without admin privileges can approve pending device requests asking for broader scopes...
CVE-2026-33579
OpenClaw before 2026.3.28 contains a privilege escalation vulnerability in the /pair approve command path that fails to forward caller scopes into the core approval check. A caller with pairing privileges but without admin privileges can approve pending device requests asking for broader scopes...
CVE-2026-33579
Technical details, affected products, and remediation are not provided in the supplied documents. Monitor for updates.
CVE-2026-33577
CVE-2026-33577 (OpenClaw) : OpenClaw before 2026.3.28 contains an insufficient scope validation vulnerability in the node-pairing approval path. The issue is caused by missing callerScopes validation in node-pairing.ts, allowing a low-privilege operator to approve nodes with broader scopes onto t...
CVE-2026-33577 OpenClaw < 2026.3.28 - Insufficient Scope Validation in node.pair.approve
OpenClaw before 2026.3.28 contains an insufficient scope validation vulnerability in the node pairing approval path that allows low-privilege operators to approve nodes with broader scopes. Attackers can exploit missing callerScopes validation in node-pairing.ts to extend privileges onto paired...
CVE-2026-33577 OpenClaw < 2026.3.28 - Insufficient Scope Validation in node.pair.approve
OpenClaw before 2026.3.28 contains an insufficient scope validation vulnerability in the node pairing approval path that allows low-privilege operators to approve nodes with broader scopes. Attackers can exploit missing callerScopes validation in node-pairing.ts to extend privileges onto paired...
CVE-2026-33577
OpenClaw before 2026.3.28 contains an insufficient scope validation vulnerability in the node pairing approval path that allows low-privilege operators to approve nodes with broader scopes. Attackers can exploit missing callerScopes validation in node-pairing.ts to extend privileges onto paired...
Improper Authorization
Overview scitokens is a SciToken reference implementation library Affected versions of this package are vulnerable to Improper Authorization via the validatescp and validatescope functions. An attacker can gain unauthorized access to sibling paths by crafting tokens with scope paths that share a...
CVE-2026-32727 SciTokens: Authorization Bypass via Path Traversal in Scope Validation
SciTokens is a reference library for generating and using SciTokens. Prior to version 1.9.7, the Enforcer is vulnerable to a path traversal attack where an attacker can use dot-dot .. in the scope claim of a token to escape the intended directory restriction. This occurs because the library...
CVE-2026-32727 SciTokens: Authorization Bypass via Path Traversal in Scope Validation
SciTokens is a reference library for generating and using SciTokens. Prior to version 1.9.7, the Enforcer is vulnerable to a path traversal attack where an attacker can use dot-dot .. in the scope claim of a token to escape the intended directory restriction. This occurs because the library...
CVE-2026-32727
CVE-2026-32727 concerns SciTokens: prior to version 1.9.7, the Enforcer is vulnerable to a path traversal attack via a token scope claim containing dot-dot (..). The issue arises from normalization of both the authorized path and the requested path, then comparing with startswith. Affected: SciTo...
CVE-2026-32727 SciTokens: Authorization Bypass via Path Traversal in Scope Validation
SciTokens is a reference library for generating and using SciTokens. Prior to version 1.9.7, the Enforcer is vulnerable to a path traversal attack where an attacker can use dot-dot .. in the scope claim of a token to escape the intended directory restriction. This occurs because the library...
PT-2026-29257
Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.3.28 Description OpenClaw contains an insufficient scope validation issue in the node pairing approval path. This allows low-privilege operators to approve nodes with broader scopes than they are authorized to,...
PT-2026-31774
Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.3.22 Description OpenClaw contains a privilege escalation issue in the device.pair.approve method. An operator with pairing approval rights can approve device requests with broader operator scopes than authorize...
CVE-2026-4428
The CVE relates to AWS-LC CRL distribution point validation logic before 1.71.0. A logic error caused partitioned CRLs to be incorrectly rejected as out of scope, enabling a revoked certificate to bypass revocation checks. Affected software is AWS-LC prior to 1.71.0; the issue is fixed in AWS-LC ...