Missing Authorization

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Missing Authorization via the Microsoft Teams SSO invoke handler. An attacker can gain unauthorized access to Teams SSO signin functionality by sending specially crafted SSO invoke reques...

CVE-2026-41376 OpenClaw < 2026.3.31 - Matrix Thread Context Allowlist Bypass via Sender Validation

OpenClaw before 2026.3.31 contains an allowlist bypass vulnerability in Matrix thread root and reply context handling that fails to properly validate message senders. Attackers can fetch thread-root and reply context messages that should be filtered by sender allowlists, bypassing access controls...

CVE-2026-41376

OpenClaw before 2026.3.31 contains an allowlist bypass vulnerability in Matrix thread root and reply context handling that fails to properly validate message senders. Attackers can fetch thread-root and reply context messages that should be filtered by sender allowlists, bypassing access controls...

CVE-2026-41376 OpenClaw < 2026.3.31 - Matrix Thread Context Allowlist Bypass via Sender Validation

OpenClaw before 2026.3.31 contains an allowlist bypass vulnerability in Matrix thread root and reply context handling that fails to properly validate message senders. Attackers can fetch thread-root and reply context messages that should be filtered by sender allowlists, bypassing access controls...

CVE-2026-41376

OpenClaw (npm) is affected up to version = 2026.3.31 is recommended. If upgrading is not feasible, consider mitigating controls around thread context handling and sender validation until a patch is applied. Note that public advisories confirm the vulnerability exists in shipped releases prior to ...

EUVD-2026-26085

OpenClaw before 2026.3.31 contains an allowlist bypass vulnerability in Matrix thread root and reply context handling that fails to properly validate message senders. Attackers can fetch thread-root and reply context messages that should be filtered by sender allowlists, bypassing access controls...

OpenClaw 访问控制错误漏洞

OpenClaw is an open-source intelligent artificial assistant developed by OpenClaw. Versions of OpenClaw prior to 2026.3.31 contained a access control vulnerability. This vulnerability stemmed from a bypass of the allowlist in the Matrix thread root and in the handling of reply contexts, resulting...

CVE-2026-35627

OpenClaw before 2026.3.22 performs cryptographic and dispatch operations on inbound Nostr direct messages before enforcing sender and pairing policy validation. Attackers can trigger unauthorized pre-authentication computation by sending crafted DM messages, enabling denial of service through...

Incorrect Authorization

Overview @openclaw/feishu is an OpenClaw Feishu/Lark channel plugin community maintained by @m1heng Affected versions of this package are vulnerable to Incorrect Authorization in the process that fetches quoted, root, or thread context messages, which bypasses the sender allowlist. An attacker ca...

CVE-2026-33576

OpenClaw prior to 2026.3.28 downloads and stores inbound media from Zalo channels before sender authorization is checked. The vulnerability allows unauthorized senders to force network fetches and disk writes to the inbound media store by sending messages that are later rejected. The issue affect...

GHSA-4CM8-XPFV-JV6F ZeptoClaw: Email Sender Spoofing to bypass Header-Only From Allowlist Validation

Summary The email channel authorizes senders based on the parsed From header identity only. If upstream email authentication/enforcement is weak for example, relaxed SPF/DKIM/DMARC handling, an attacker can spoof an allowlisted sender address and have the message treated as trusted input. Details...

Base Digitale Centrax Open PSIM 安全漏洞

Base Digitale Centrax Open PSIM is a platform for physical security management from Base Digitale, Italy. A security vulnerability exists in Base Digitale Centrax Open PSIM version 6.1 that stems from the cmd component not validating the sender parameter, which could lead to an SQL injection atta...

SUSE CVE-2025-48937

matrix-rust-sdk is an implementation of a Matrix client-server library in Rust. matrix-sdk-crypto since version 0.8.0 and up to 0.11.0 does not correctly validate the sender of an encrypted event. Accordingly, a malicious homeserver operator can modify events served to clients, making those event...

CVE-2025-48937

matrix-rust-sdk is an implementation of a Matrix client-server library in Rust. matrix-sdk-crypto since version 0.8.0 and up to 0.11.0 does not correctly validate the sender of an encrypted event. Accordingly, a malicious homeserver operator can modify events served to clients, making those event...

CVE-2025-48937 matrix-sdk-crypto vulnerable to sender of encrypted events being spoofed by homeserver administrator

matrix-rust-sdk is an implementation of a Matrix client-server library in Rust. matrix-sdk-crypto since version 0.8.0 and up to 0.11.0 does not correctly validate the sender of an encrypted event. Accordingly, a malicious homeserver operator can modify events served to clients, making those event...

firefox: thunderbird: WebChannel APIs susceptible to confused deputy attack

A flaw was found in Firefox. The Mozilla Foundation's Security Advisory describes the following issue: The WebChannel API, which is used to transport various information across processes, did not check the sending principal but rather accepted the principal being sent. This could have led to...

registerWallet() does not validate the sender

Lines of code Vulnerability details Issue registerWallet in WalletRegistry.sol does not guarantee that the sender is the safe deployer. registerWallet should be called from the safe deployer, in the context of deployConsoleAccount // Register Wallet /// @dev This function is being packed as a par...

[SECURITY] [DSA 5379-1] dino-im security update

------------------------------------------------------------------------- Debian Security Advisory DSA-5379-1 [email protected] https://www.debian.org/security/ Salvatore Bonaccorso March 27, 2023 https://www.debian.org/security/faq -...

ArchiSteamFarm 访问控制错误漏洞

ArchiSteamFarm is a C application whose main purpose is to idle Steam cards from multiple accounts simultaneously. An Access Control Error vulnerability exists in ArchiSteamFarm that stems from the product not adequately validating the sending agent. An attacker could use this vulnerability to...

Github Monal Data Falsification Issue Vulnerability

Github Monal is a cross-platform modern XMPP client for iOS and macOS. Monal before 4.9 suffers from a data forgery issue vulnerability that stems from not properly validating the sender of results. An attacker can use this vulnerability to inject arbitrary messages into local history and take fu...