Lucene search
K

55 matches found

Positive Technologies
Positive Technologies
added 2026/04/09 12:0 a.m.5 views

PT-2026-31764

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.3.25 Description OpenClaw contains a missing rate limiting issue in Telegram webhook authentication. This allows attackers to brute-force weak webhook secrets by repeatedly guessing without throttling. The...

6.3CVSS5.8AI score0.00287EPSS
Exploits0References7
Cvelist
Cvelist
added 2026/03/31 2:10 p.m.25 views

CVE-2026-33580 OpenClaw < 2026.3.28 - Brute Force Attack via Missing Rate Limiting on Webhook Shared Secret Authentication

OpenClaw before 2026.3.28 contains a missing rate limiting vulnerability in the Nextcloud Talk webhook authentication that allows attackers to brute-force weak shared secrets. Attackers who can reach the webhook endpoint can exploit this to forge inbound webhook events by repeatedly attempting...

6.5CVSS0.00365EPSS
Exploits0References3
EUVD
EUVD
added 2026/03/31 12:31 p.m.3 views

EUVD-2026-17393

OpenClaw before 2026.3.12 applies rate limiting only after webhook authentication succeeds, allowing attackers to bypass rate limits and brute-force webhook secrets without triggering 429 responses. Attackers can repeatedly guess invalid secrets to discover valid credentials and subsequently subm...

6.5CVSS5.9AI score0.00056EPSS
Exploits0References3
EUVD
EUVD
added 2026/03/31 12:31 p.m.4 views

EUVD-2026-17389

OpenClaw before 2026.3.12 applies rate limiting only after successful webhook authentication, allowing attackers to bypass rate limits and brute-force webhook secrets. Attackers can submit repeated authentication requests with invalid secrets without triggering rate limit responses, enabling...

6.9CVSS5.9AI score0.00272EPSS
Exploits0References3
Github Security Blog
Github Security Blog
added 2026/03/31 12:31 p.m.7 views

Duplicate Advisory: OpenClaw: Zalo webhook rate limiting could be bypassed before secret validation

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-5m9r-p9g7-679c. This link is maintained to preserve external references. Original Description OpenClaw before 2026.3.12 applies rate limiting only after successful webhook authentication, allowing attackers to...

6.9CVSS5.8AI score0.00272EPSS
Exploits0References4Affected Software1
NVD
NVD
added 2026/03/31 12:16 p.m.6 views

CVE-2026-34508

Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority...

0.00056EPSS
Exploits0
Positive Technologies
Positive Technologies
added 2026/03/31 12:0 a.m.3 views

PT-2026-29236

OpenClaw before 2026.3.12 applies rate limiting only after successful webhook authentication, allowing attackers to bypass rate limits and brute-force webhook secrets. Attackers can submit repeated authentication requests with invalid secrets without triggering rate limit responses, enabling...

9.8CVSS5.9AI score0.00272EPSS
Exploits0References3
Snyk
Snyk
added 2026/03/13 8:55 p.m.6 views

Brute Force

Overview @openclaw/zalo is an OpenClaw Zalo channel plugin Affected versions of this package are vulnerable to Brute Force via the Zalo webhook handler. An attacker can repeatedly attempt to guess webhook secrets without triggering rate limiting by sending requests with invalid secrets, as these...

6.9CVSS5.9AI score0.00272EPSS
Exploits0References2
OSV
OSV
added 2026/03/05 10:16 p.m.5 views

CVE-2026-28454

OpenClaw versions prior to 2026.2.2 fail to validate webhook secrets in Telegram webhook mode must be enabled, allowing unauthenticated HTTP POST requests to the webhook endpoint that trust attacker-controlled JSON payloads. Remote attackers can forge Telegram updates by spoofing message.from.id...

9.8CVSS5.9AI score
Exploits0References6
EUVD
EUVD
added 2026/03/05 9:59 p.m.4 views

EUVD-2026-9903

OpenClaw versions prior to 2026.2.2 fail to validate webhook secrets in Telegram webhook mode must be enabled, allowing unauthenticated HTTP POST requests to the webhook endpoint that trust attacker-controlled JSON payloads. Remote attackers can forge Telegram updates by spoofing message.from.id...

9.8CVSS6AI score0.00255EPSS
Exploits0References6
RedhatCVE
RedhatCVE
added 2026/02/21 1:30 a.m.8 views

CVE-2026-27004

OpenClaw is a personal AI assistant. Prior to version 2026.2.15, in some shared-agent deployments, OpenClaw session tools sessionslist, sessionshistory, sessionssend allowed broader session targeting than some operators intended. This is primarily a configuration/visibility-scoping issue in...

6.9CVSS5.5AI score0.00105EPSS
Exploits0References1
CVE
CVE
added 2026/02/19 11:18 p.m.17 views

CVE-2026-27004

CVE-2026-27004 concerns OpenClaw, an open-source personal AI assistant. In versions prior to 2026.2.15, the issue arises in multi-user/shared-agent deployments where session tools (sessions_list, sessions_history, sessions_send) could expose transcript content across peer sessions due to insuffic...

6.9CVSS5.5AI score0.00105EPSS
Exploits0References2Affected Software1
Positive Technologies
Positive Technologies
added 2026/02/17 12:0 a.m.8 views

PT-2026-23532

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.2.2 OpenClaw versions 2026.1.30 and earlier Description When Telegram webhook mode is enabled without a configured webhook secret, the software may accept unauthenticated HTTP POST requests at the Telegram webho...

9.8CVSS5.9AI score0.00255EPSS
Exploits0References12
OSV
OSV
added 2026/02/02 8:42 a.m.4 views

BIT-DISCOURSE-2026-24742 Discourse staff action logs expose sensitive information to moderators

Discourse is an open source discussion platform. In versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0, non-admin moderators can view sensitive information in staff action logs that should be restricted to administrators only. The exposed information includes webhook payload URLs and...

6.5CVSS5.3AI score0.00255EPSS
Exploits0References2
RedhatCVE
RedhatCVE
added 2026/01/29 9:21 p.m.9 views

CVE-2026-24742

Discourse is an open source discussion platform. In versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0, non-admin moderators can view sensitive information in staff action logs that should be restricted to administrators only. The exposed information includes webhook payload URLs and...

6.5CVSS5.8AI score0.00255EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/01/28 8:11 p.m.4 views

CVE-2026-24742 Discourse staff action logs expose sensitive information to moderators

Discourse is an open source discussion platform. In versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0, non-admin moderators can view sensitive information in staff action logs that should be restricted to administrators only. The exposed information includes webhook payload URLs and...

6.5CVSS5.8AI score0.00255EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/01/28 8:11 p.m.6 views

CVE-2026-24742

Discourse is an open source discussion platform. In versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0, non-admin moderators can view sensitive information in staff action logs that should be restricted to administrators only. The exposed information includes webhook payload URLs and...

6.5CVSS5.8AI score0.00255EPSS
Exploits0References2Affected Software1
CVE
CVE
added 2026/01/28 8:11 p.m.18 views

CVE-2026-24742

Discourse (open‑source discussion platform) is affected in CVE-2026-24742 for versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0. The issue allows non‑admin moderators to view sensitive data in staff action logs that should be restricted to administrators, exposing webhook URLs and secre...

6.5CVSS5.8AI score0.00255EPSS
Exploits0References1Affected Software1
EUVD
EUVD
added 2026/01/28 8:11 p.m.8 views

EUVD-2026-4869

Discourse is an open source discussion platform. In versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0, non-admin moderators can view sensitive information in staff action logs that should be restricted to administrators only. The exposed information includes webhook payload URLs and...

6.5CVSS5.8AI score0.00255EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/01/28 8:11 p.m.30 views

CVE-2026-24742 Discourse staff action logs expose sensitive information to moderators

Discourse is an open source discussion platform. In versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0, non-admin moderators can view sensitive information in staff action logs that should be restricted to administrators only. The exposed information includes webhook payload URLs and...

6.5CVSS0.00255EPSS
Exploits0References1
Rows per page
Query Builder