Allocation of Resources Without Limits or Throttling

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via unbounded concurrent unauthenticated WebSocket upgrades before session authentication. An attacker can exhaust socket and worker...

GHSA-F44P-C7W9-7XR7 OpenClaw: Gateway WebSocket Denial of Service via unbounded pre-auth upgrades

Summary The gateway accepted unbounded concurrent unauthenticated WebSocket upgrades before allocating them to an authenticated session budget. Impact An unauthenticated network attacker could consume socket and worker capacity and disrupt WebSocket availability for legitimate clients. Affected...

OpenClaw: Gateway WebSocket Denial of Service via unbounded pre-auth upgrades

Summary The gateway accepted unbounded concurrent unauthenticated WebSocket upgrades before allocating them to an authenticated session budget. Impact An unauthenticated network attacker could consume socket and worker capacity and disrupt WebSocket availability for legitimate clients. Affected...

GHSA-2PR2-HCV6-7GWV OpenClaw's device removal and token revocation do not terminate active WebSocket sessions

Summary Removing a device or revoking its token updated stored credentials but did not disconnect already-authenticated WebSocket sessions. Impact A revoked device could continue using its existing live session until reconnect, extending access beyond credential removal. Affected Component...

EUVD-2026-17469

OpenClaw's device removal and token revocation do not terminate active WebSocket sessions...

OpenClaw's device removal and token revocation do not terminate active WebSocket sessions

Summary Removing a device or revoking its token updated stored credentials but did not disconnect already-authenticated WebSocket sessions. Impact A revoked device could continue using its existing live session until reconnect, extending access beyond credential removal. Affected Component...

CVE-2026-34716

WWBN AVideo is an open source video platform. In versions 26.0 and prior, the AVideo YPTSocket plugin's caller feature renders incoming call notifications using the jQuery Toast Plugin, passing the caller's display name directly as the heading parameter. The toast plugin constructs the heading as...

CVE-2026-34716 AVideo: DOM XSS via Unsanitized Display Name in WebSocket Call Notification

WWBN AVideo is an open source video platform. In versions 26.0 and prior, the AVideo YPTSocket plugin's caller feature renders incoming call notifications using the jQuery Toast Plugin, passing the caller's display name directly as the heading parameter. The toast plugin constructs the heading as...

CVE-2026-34716

WWBN AVideo is an open source video platform. In versions 26.0 and prior, the AVideo YPTSocket plugin's caller feature renders incoming call notifications using the jQuery Toast Plugin, passing the caller's display name directly as the heading parameter. The toast plugin constructs the heading as...

CVE-2026-34716

WWBN AVideo (versions 26.0 and earlier) is affected by a DOM XSS in the YPTSocket plugin. The attacker-controlled display name is passed to the jQuery Toast Plugin as the heading, which is assembled as raw HTML and injected via .html(), allowing the display name to include scripts. This enables c...

CVE-2026-34716 AVideo: DOM XSS via Unsanitized Display Name in WebSocket Call Notification

WWBN AVideo is an open source video platform. In versions 26.0 and prior, the AVideo YPTSocket plugin's caller feature renders incoming call notifications using the jQuery Toast Plugin, passing the caller's display name directly as the heading parameter. The toast plugin constructs the heading as...

CVE-2026-34716 AVideo: DOM XSS via Unsanitized Display Name in WebSocket Call Notification

WWBN AVideo is an open source video platform. In versions 26.0 and prior, the AVideo YPTSocket plugin's caller feature renders incoming call notifications using the jQuery Toast Plugin, passing the caller's display name directly as the heading parameter. The toast plugin constructs the heading as...

Insufficient Session Expiration

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Insufficient Session Expiration through incomplete termination of WebSocket sessions when devices are removed or tokens are revoked. An attacker can retain unauthorized access by...

GHSA-89HR-6X2P-8XJV Duplicate Advisory: OpenClaw's device removal and token revocation do not terminate active WebSocket sessions

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-2pr2-hcv6-7gwv. This link is maintained to preserve external references. Original Description OpenClaw before 2026.3.28 fails to disconnect active WebSocket sessions when devices are removed or tokens are revoke...

Duplicate Advisory: OpenClaw's device removal and token revocation do not terminate active WebSocket sessions

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-2pr2-hcv6-7gwv. This link is maintained to preserve external references. Original Description OpenClaw before 2026.3.28 fails to disconnect active WebSocket sessions when devices are removed or tokens are revoke...

CVE-2026-34503

OpenClaw (vulnerable: before 2026.3.28) fails to terminate active WebSocket sessions when devices are removed or tokens are revoked, enabling persistence of access for revoked credentials through existing live sessions until forced reconnection. This impacts OpenClaw deployments using the affecte...

CVE-2026-34503 OpenClaw < 2026.3.28 - Incomplete WebSocket Session Termination on Device Removal and Token Revocation

OpenClaw before 2026.3.28 fails to disconnect active WebSocket sessions when devices are removed or tokens are revoked. Attackers with revoked credentials can maintain unauthorized access through existing live sessions until forced reconnection...

CVE-2026-34503

OpenClaw before 2026.3.28 fails to disconnect active WebSocket sessions when devices are removed or tokens are revoked. Attackers with revoked credentials can maintain unauthorized access through existing live sessions until forced reconnection...

CVE-2026-34503 OpenClaw < 2026.3.28 - Incomplete WebSocket Session Termination on Device Removal and Token Revocation

OpenClaw before 2026.3.28 fails to disconnect active WebSocket sessions when devices are removed or tokens are revoked. Attackers with revoked credentials can maintain unauthorized access through existing live sessions until forced reconnection...

Security Bulletin: Multiple security vulnerabilities in IBM Business Automation Manager Open Editions

Summary In addition to many updates of operating system level packages, the following security vulnerabilities are addressed in IBM Business Automation Manager Open Editions 9.4.0 Vulnerability Details CVEID:CVE-2026-1525 DESCRIPTION: Undici allows duplicate HTTP Content-Length headers when they...