55 matches found
PT-2026-31764
Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.3.25 Description OpenClaw contains a missing rate limiting issue in Telegram webhook authentication. This allows attackers to brute-force weak webhook secrets by repeatedly guessing without throttling. The...
CVE-2026-33580 OpenClaw < 2026.3.28 - Brute Force Attack via Missing Rate Limiting on Webhook Shared Secret Authentication
OpenClaw before 2026.3.28 contains a missing rate limiting vulnerability in the Nextcloud Talk webhook authentication that allows attackers to brute-force weak shared secrets. Attackers who can reach the webhook endpoint can exploit this to forge inbound webhook events by repeatedly attempting...
EUVD-2026-17393
OpenClaw before 2026.3.12 applies rate limiting only after webhook authentication succeeds, allowing attackers to bypass rate limits and brute-force webhook secrets without triggering 429 responses. Attackers can repeatedly guess invalid secrets to discover valid credentials and subsequently subm...
EUVD-2026-17389
OpenClaw before 2026.3.12 applies rate limiting only after successful webhook authentication, allowing attackers to bypass rate limits and brute-force webhook secrets. Attackers can submit repeated authentication requests with invalid secrets without triggering rate limit responses, enabling...
Duplicate Advisory: OpenClaw: Zalo webhook rate limiting could be bypassed before secret validation
Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-5m9r-p9g7-679c. This link is maintained to preserve external references. Original Description OpenClaw before 2026.3.12 applies rate limiting only after successful webhook authentication, allowing attackers to...
CVE-2026-34508
Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority...
PT-2026-29236
OpenClaw before 2026.3.12 applies rate limiting only after successful webhook authentication, allowing attackers to bypass rate limits and brute-force webhook secrets. Attackers can submit repeated authentication requests with invalid secrets without triggering rate limit responses, enabling...
Brute Force
Overview @openclaw/zalo is an OpenClaw Zalo channel plugin Affected versions of this package are vulnerable to Brute Force via the Zalo webhook handler. An attacker can repeatedly attempt to guess webhook secrets without triggering rate limiting by sending requests with invalid secrets, as these...
CVE-2026-28454
OpenClaw versions prior to 2026.2.2 fail to validate webhook secrets in Telegram webhook mode must be enabled, allowing unauthenticated HTTP POST requests to the webhook endpoint that trust attacker-controlled JSON payloads. Remote attackers can forge Telegram updates by spoofing message.from.id...
EUVD-2026-9903
OpenClaw versions prior to 2026.2.2 fail to validate webhook secrets in Telegram webhook mode must be enabled, allowing unauthenticated HTTP POST requests to the webhook endpoint that trust attacker-controlled JSON payloads. Remote attackers can forge Telegram updates by spoofing message.from.id...
CVE-2026-27004
OpenClaw is a personal AI assistant. Prior to version 2026.2.15, in some shared-agent deployments, OpenClaw session tools sessionslist, sessionshistory, sessionssend allowed broader session targeting than some operators intended. This is primarily a configuration/visibility-scoping issue in...
CVE-2026-27004
CVE-2026-27004 concerns OpenClaw, an open-source personal AI assistant. In versions prior to 2026.2.15, the issue arises in multi-user/shared-agent deployments where session tools (sessions_list, sessions_history, sessions_send) could expose transcript content across peer sessions due to insuffic...
PT-2026-23532
Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.2.2 OpenClaw versions 2026.1.30 and earlier Description When Telegram webhook mode is enabled without a configured webhook secret, the software may accept unauthenticated HTTP POST requests at the Telegram webho...
BIT-DISCOURSE-2026-24742 Discourse staff action logs expose sensitive information to moderators
Discourse is an open source discussion platform. In versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0, non-admin moderators can view sensitive information in staff action logs that should be restricted to administrators only. The exposed information includes webhook payload URLs and...
CVE-2026-24742
Discourse is an open source discussion platform. In versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0, non-admin moderators can view sensitive information in staff action logs that should be restricted to administrators only. The exposed information includes webhook payload URLs and...
CVE-2026-24742 Discourse staff action logs expose sensitive information to moderators
Discourse is an open source discussion platform. In versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0, non-admin moderators can view sensitive information in staff action logs that should be restricted to administrators only. The exposed information includes webhook payload URLs and...
CVE-2026-24742
Discourse is an open source discussion platform. In versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0, non-admin moderators can view sensitive information in staff action logs that should be restricted to administrators only. The exposed information includes webhook payload URLs and...
CVE-2026-24742
Discourse (open‑source discussion platform) is affected in CVE-2026-24742 for versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0. The issue allows non‑admin moderators to view sensitive data in staff action logs that should be restricted to administrators, exposing webhook URLs and secre...
EUVD-2026-4869
Discourse is an open source discussion platform. In versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0, non-admin moderators can view sensitive information in staff action logs that should be restricted to administrators only. The exposed information includes webhook payload URLs and...
CVE-2026-24742 Discourse staff action logs expose sensitive information to moderators
Discourse is an open source discussion platform. In versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0, non-admin moderators can view sensitive information in staff action logs that should be restricted to administrators only. The exposed information includes webhook payload URLs and...