EUVD-2026-26124

OpenClaw before 2026.4.8 contains a session management vulnerability where existing WebSocket sessions survive shared gateway token rotation. Attackers can maintain unauthorized access to WebSocket connections after token rotation by exploiting the failure to disconnect existing shared-token...

Linux Distros Unpatched Vulnerability : CVE-2026-5173

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - GitLab has remediated an issue in GitLab CE/EE affecting all versions from 16.9.6 before 18.8.9, 18.9 before 18.9.5, and 18.10 before 18.10.3 that could have...

CVE-2026-40116

PraisonAI is a multi-agent teams system. Prior to 4.5.128, the /media-stream WebSocket endpoint in PraisonAI's call module accepts connections from any client without authentication or Twilio signature validation. Each connection opens an authenticated session to OpenAI's Realtime API using the...

EUVD-2026-20802

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 16.9.6 before 18.8.9, 18.9 before 18.9.5, and 18.10 before 18.10.3 that could have allowed an authenticated user to invoke unintended server-side methods through websocket connections due to improper access control...

UBUNTU-CVE-2026-5173

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 16.9.6 before 18.8.9, 18.9 before 18.9.5, and 18.10 before 18.10.3 that could have allowed an authenticated user to invoke unintended server-side methods through websocket connections due to improper access control...

CVE-2026-5173

Removed by vendor...

CVE-2026-5173 Exposed Dangerous Method or Function in GitLab

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 16.9.6 before 18.8.9, 18.9 before 18.9.5, and 18.10 before 18.10.3 that could have allowed an authenticated user to invoke unintended server-side methods through websocket connections due to improper access control...

CVE-2026-5173

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 16.9.6 before 18.8.9, 18.9 before 18.9.5, and 18.10 before 18.10.3 that could have allowed an authenticated user to invoke unintended server-side methods through websocket connections due to improper access control...

EUVD-2026-18923

PraisonAI is a multi-agent teams system. Prior to version 4.5.97, the PraisonAI Gateway server accepts WebSocket connections at /ws and serves agent topology at /info with no authentication. Any network client can connect, enumerate registered agents, and send arbitrary messages to agents and the...

GHSA-JGFX-74G2-9R6G goshs has Auth Bypass via Share Token

Summary When using the Share Token it is possible to bypass the limited selected file download with all the gosh functionalities, including code exec. Details The BasicAuthMiddleware checks for a ?token= parameter before checking credentials. If the token exists in SharedLinks, the request passes...

goshs has Auth Bypass via Share Token

Summary When using the Share Token it is possible to bypass the limited selected file download with all the gosh functionalities, including code exec. Details The BasicAuthMiddleware checks for a ?token= parameter before checking credentials. If the token exists in SharedLinks, the request passes...

Insufficient Session Expiration

Overview wwbn/avideo is an Audio and Video Platform or simply "A Video Platform". Affected versions of this package are vulnerable to Insufficient Session Expiration through the verifyTokenSocket function in plugin/YPTSocket/functions.php. An attacker can maintain unauthorized WebSocket access an...

Origin Validation Error

Overview @grackle-ai/server is a Grackle server orchestrator — spawns and wires core gRPC, web-server HTTP, MCP, and PowerLine Affected versions of this package are vulnerable to Origin Validation Error via the connection handler process. An attacker can gain unauthorized access to real-time...

CVE-2026-29796

WebSocket endpoints lack proper authentication mechanisms, enabling attackers to perform unauthorized station impersonation and manipulate data sent to the backend. An unauthenticated attacker can connect to the OCPP WebSocket endpoint using a known or discovered charging station identifier, then...

CVE-2026-26051 Mobiliti e-mobi.hu Missing Authentication for Critical Function

WebSocket endpoints lack proper authentication mechanisms, enabling attackers to perform unauthorized station impersonation and manipulate data sent to the backend. An unauthenticated attacker can connect to the OCPP WebSocket endpoint using a known or discovered charging station identifier, then...

Everon 访问控制错误漏洞

Everon is an electric vehicle charging station system developed by Everon Corporation. There is an access control vulnerability in Everon, which stems from the lack of an authentication mechanism. This vulnerability allows unverified attackers to connect to WebSocket endpoints and impersonate...

OpenClaw has auth inconsistency on local Browser Extension Relay /extension endpoint

Summary When the optional Chrome extension relay is enabled, /extension accepted unauthenticated WebSocket upgrades while /json/ and /cdp required auth. Affected Packages / Versions - Package: openclaw npm - Affected: = 2026.2.17 - Latest published npm version at triage time: 2026.2.17 Impact Thi...

CVE-2026-27767

WebSocket endpoints lack proper authentication mechanisms, enabling attackers to perform unauthorized station impersonation and manipulate data sent to the backend. An unauthenticated attacker can connect to the OCPP WebSocket endpoint using a known or discovered charging station identifier, then...

CVE-2025-12548

The CVE-2025-12548 issue affects Eclipse Che che-machine-exec, exposed in Red Hat OpenShift Dev Spaces. A flaw allows unauthenticated remote arbitrary command execution and secret exfiltration from other users’ Developer Workspace containers via an unauthenticated JSON-RPC/WebSocket API on TCP po...

CVE-2026-21883

Bokeh server (Python) CVE-2026-21883 affects 3.8.1 and earlier. Incomplete origin validation in WebSockets due to a flawed host matching in the allowlist enables an attacker to lure a victim to a malicious domain (e.g., dashboard.corp.attacker.com) and initiate a WebSocket connection, potentially...