42 matches found
CVE-2026-28465
OpenClaw's voice-call plugin versions before 2026.2.3 contain an improper authentication vulnerability in webhook verification that allows remote attackers to bypass verification by supplying untrusted forwarded headers. Attackers can spoof webhook events by manipulating Forwarded or X-Forwarded-...
CVE-2026-28465
OpenClaw's voice-call plugin versions before 2026.2.3 contain an improper authentication vulnerability in webhook verification that allows remote attackers to bypass verification by supplying untrusted forwarded headers. Attackers can spoof webhook events by manipulating Forwarded or X-Forwarded-...
CVE-2026-28465 OpenClaw voice-call < 2026.2.3 - Webhook Verification Bypass via Forwarded Headers
OpenClaw's voice-call plugin versions before 2026.2.3 contain an improper authentication vulnerability in webhook verification that allows remote attackers to bypass verification by supplying untrusted forwarded headers. Attackers can spoof webhook events by manipulating Forwarded or X-Forwarded-...
CVE-2026-28465 OpenClaw voice-call < 2026.2.3 - Webhook Verification Bypass via Forwarded Headers
OpenClaw's voice-call plugin versions before 2026.2.3 contain an improper authentication vulnerability in webhook verification that allows remote attackers to bypass verification by supplying untrusted forwarded headers. Attackers can spoof webhook events by manipulating Forwarded or X-Forwarded-...
CVE-2026-28465
OpenClaw's voice-call plugin versions before 2026.2.3 contain an improper authentication vulnerability in webhook verification that allows remote attackers to bypass verification by supplying untrusted forwarded headers. Attackers can spoof webhook events by manipulating Forwarded or X-Forwarded-...
CVE-2026-28465
OpenClaw’s voice-call plugin (pre-2026.2.3) has an improper authentication flaw in webhook verification. An attacker can spoof webhook events by supplying untrusted Forwarded or X-Forwarded-* headers in reverse-proxy setups that implicitly trust these headers, bypassing verification. The issue af...
OpenClaw 安全漏洞
OpenClaw is openclaw open source an intelligent artificial assistant. OpenClaw suffers from a security bypass vulnerability that stems from the fact that Webhook signature verification in the Voice Call extension can be bypassed, which can be exploited by an attacker to cause unauthenticated...
OpenClaw 数据伪造问题漏洞
OpenClaw is an open-source intelligent artificial assistant. Versions of OpenClaw prior to 2026.2.3 had a data manipulation vulnerability. This vulnerability stemmed from improper authentication in webhook verification, which could allow remote attackers to bypass the verification by using...
CVE-2026-26319
OpenClaw contains a vulnerability in the optional @openclaw/voice-call Telnyx webhook handler: when telnyx.publicKey is not configured, verification can fail open, allowing unauthenticated HTTP POSTs to be treated as legitimate Telnyx events. Affected versions are 2026.2.13 and earlier; the issue...
OpenClaw optional voice-call plugin: webhook verification may be bypassed behind certain proxy configurations
Affected Packages / Versions This issue affects the optional voice-call plugin only. It is not enabled by default; it only applies to installations where the plugin is installed and enabled. - Package: @openclaw/voice-call - Vulnerable versions: = 2026.2.3 Legacy package name if you are still usi...
CVE-2026-21894 n8n's Missing Stripe-Signature Verification Allows Unauthenticated Forged Webhooks
n8n is an open source workflow automation platform. In versions from 0.150.0 to before 2.2.2, an authentication bypass vulnerability in the Stripe Trigger node allows unauthenticated parties to trigger workflows by sending forged Stripe webhook events. The Stripe Trigger creates and stores a Stri...
CVE-2026-21894 n8n's Missing Stripe-Signature Verification Allows Unauthenticated Forged Webhooks
n8n is an open source workflow automation platform. In versions from 0.150.0 to before 2.2.2, an authentication bypass vulnerability in the Stripe Trigger node allows unauthenticated parties to trigger workflows by sending forged Stripe webhook events. The Stripe Trigger creates and stores a Stri...
GHSA-JF52-3F2H-H9J5 n8n's Missing Stripe-Signature Verification Allows Unauthenticated Forged Webhooks
Impact An authentication bypass in the Stripe Trigger node allows unauthenticated parties to trigger workflows by sending forged Stripe webhook events. The Stripe Trigger creates and stores a Stripe webhook signing secret when registering the webhook endpoint, but incoming webhook requests were n...
CVE-2025-11564 Tutor LMS – eLearning and online course solution <= 3.8.3 - Missing Authorization to Unauthenticated Payment Status Update
The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check while verifying webhook signatures on the "verifyAndCreateOrderData" function in all versions up to, and including, 3.8.3. This makes it...
PT-2025-43706
Name of the Vulnerable Software and Affected Versions Tutor LMS versions up to and including 3.8.3 Description The Tutor LMS plugin for WordPress is susceptible to unauthorized data modification. This occurs because of a missing capability check when verifying webhook signatures within the...
EUVD-2025-20865
Malicious code in bioql PyPI...
Improper Verification Of Cryptographic Signature
Clerk is vulnerable to improper verification of cryptographic signature. The vulnerability is due to the use of the verifyWebhook helper, which may accept improperly signed webhook events, allowing an attacker to forge webhook requests and potentially trigger unauthorized actions...
CVE-2025-53548
Clerk helps developers build user management. Applications that use the verifyWebhook helper to verify incoming Clerk webhooks are susceptible to accepting improperly signed webhook events. The issue was resolved in @clerk/backend 2.4.0...
CVE-2025-53548
CVE-2025-53548 concerns Clerk’s verifyWebhook() validation. Across connected documents, the issue is that the verifyWebhook() helper may accept improperly signed webhook events, enabling signature forgery. The vulnerability is mitigated by upgrading to @clerk/backend 2.4.0, which properly parses ...
CVE-2025-53548 @clerk/backend Performs Insufficient Verification of Data Authenticity
Clerk helps developers build user management. Applications that use the verifyWebhook helper to verify incoming Clerk webhooks are susceptible to accepting improperly signed webhook events. The issue was resolved in @clerk/backend 2.4.0...