Lucene search
K

42 matches found

NVD
NVD
added 2026/03/05 10:16 p.m.7 views

CVE-2026-28465

OpenClaw's voice-call plugin versions before 2026.2.3 contain an improper authentication vulnerability in webhook verification that allows remote attackers to bypass verification by supplying untrusted forwarded headers. Attackers can spoof webhook events by manipulating Forwarded or X-Forwarded-...

8.2CVSS0.00374EPSS
Exploits0References3
OSV
OSV
added 2026/03/05 10:16 p.m.5 views

CVE-2026-28465

OpenClaw's voice-call plugin versions before 2026.2.3 contain an improper authentication vulnerability in webhook verification that allows remote attackers to bypass verification by supplying untrusted forwarded headers. Attackers can spoof webhook events by manipulating Forwarded or X-Forwarded-...

7.5CVSS5.9AI score
Exploits0References3
Cvelist
Cvelist
added 2026/03/05 9:59 p.m.26 views

CVE-2026-28465 OpenClaw voice-call < 2026.2.3 - Webhook Verification Bypass via Forwarded Headers

OpenClaw's voice-call plugin versions before 2026.2.3 contain an improper authentication vulnerability in webhook verification that allows remote attackers to bypass verification by supplying untrusted forwarded headers. Attackers can spoof webhook events by manipulating Forwarded or X-Forwarded-...

8.2CVSS0.00374EPSS
Exploits0References3
Vulnrichment
Vulnrichment
added 2026/03/05 9:59 p.m.2 views

CVE-2026-28465 OpenClaw voice-call < 2026.2.3 - Webhook Verification Bypass via Forwarded Headers

OpenClaw's voice-call plugin versions before 2026.2.3 contain an improper authentication vulnerability in webhook verification that allows remote attackers to bypass verification by supplying untrusted forwarded headers. Attackers can spoof webhook events by manipulating Forwarded or X-Forwarded-...

8.2CVSS5.8AI score0.00374EPSS
Exploits0References3
ATTACKERKB
ATTACKERKB
added 2026/03/05 9:59 p.m.3 views

CVE-2026-28465

OpenClaw's voice-call plugin versions before 2026.2.3 contain an improper authentication vulnerability in webhook verification that allows remote attackers to bypass verification by supplying untrusted forwarded headers. Attackers can spoof webhook events by manipulating Forwarded or X-Forwarded-...

8.2CVSS6AI score0.00374EPSS
Exploits0References4
CVE
CVE
added 2026/03/05 9:59 p.m.14 views

CVE-2026-28465

OpenClaw’s voice-call plugin (pre-2026.2.3) has an improper authentication flaw in webhook verification. An attacker can spoof webhook events by supplying untrusted Forwarded or X-Forwarded-* headers in reverse-proxy setups that implicitly trust these headers, bypassing verification. The issue af...

8.2CVSS6AI score0.00374EPSS
Exploits0References3Affected Software1
CNNVD
CNNVD
added 2026/03/05 12:0 a.m.8 views

OpenClaw 安全漏洞

OpenClaw is openclaw open source an intelligent artificial assistant. OpenClaw suffers from a security bypass vulnerability that stems from the fact that Webhook signature verification in the Voice Call extension can be bypassed, which can be exploited by an attacker to cause unauthenticated...

6.5CVSS5.8AI score0.0029EPSS
Exploits0References3
CNNVD
CNNVD
added 2026/03/05 12:0 a.m.8 views

OpenClaw 数据伪造问题漏洞

OpenClaw is an open-source intelligent artificial assistant. Versions of OpenClaw prior to 2026.2.3 had a data manipulation vulnerability. This vulnerability stemmed from improper authentication in webhook verification, which could allow remote attackers to bypass the verification by using...

8.2CVSS5.7AI score0.00374EPSS
Exploits0References3
CVE
CVE
added 2026/02/19 10:5 p.m.16 views

CVE-2026-26319

OpenClaw contains a vulnerability in the optional @openclaw/voice-call Telnyx webhook handler: when telnyx.publicKey is not configured, verification can fail open, allowing unauthenticated HTTP POSTs to be treated as legitimate Telnyx events. Affected versions are 2026.2.13 and earlier; the issue...

7.5CVSS5.7AI score0.00284EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/02/17 9:31 p.m.9 views

OpenClaw optional voice-call plugin: webhook verification may be bypassed behind certain proxy configurations

Affected Packages / Versions This issue affects the optional voice-call plugin only. It is not enabled by default; it only applies to installations where the plugin is installed and enabled. - Package: @openclaw/voice-call - Vulnerable versions: = 2026.2.3 Legacy package name if you are still usi...

8.2CVSS5.5AI score0.00374EPSS
Exploits0References6Affected Software2
Cvelist
Cvelist
added 2026/01/08 9:56 a.m.23 views

CVE-2026-21894 n8n's Missing Stripe-Signature Verification Allows Unauthenticated Forged Webhooks

n8n is an open source workflow automation platform. In versions from 0.150.0 to before 2.2.2, an authentication bypass vulnerability in the Stripe Trigger node allows unauthenticated parties to trigger workflows by sending forged Stripe webhook events. The Stripe Trigger creates and stores a Stri...

6.5CVSS0.00432EPSS
Exploits0References3
Vulnrichment
Vulnrichment
added 2026/01/08 9:56 a.m.3 views

CVE-2026-21894 n8n's Missing Stripe-Signature Verification Allows Unauthenticated Forged Webhooks

n8n is an open source workflow automation platform. In versions from 0.150.0 to before 2.2.2, an authentication bypass vulnerability in the Stripe Trigger node allows unauthenticated parties to trigger workflows by sending forged Stripe webhook events. The Stripe Trigger creates and stores a Stri...

6.5CVSS6.8AI score0.00432EPSS
Exploits0References3
OSV
OSV
added 2026/01/07 7:22 p.m.4 views

GHSA-JF52-3F2H-H9J5 n8n's Missing Stripe-Signature Verification Allows Unauthenticated Forged Webhooks

Impact An authentication bypass in the Stripe Trigger node allows unauthenticated parties to trigger workflows by sending forged Stripe webhook events. The Stripe Trigger creates and stores a Stripe webhook signing secret when registering the webhook endpoint, but incoming webhook requests were n...

6.5CVSS7.3AI score0.00432EPSS
Exploits0References5
Cvelist
Cvelist
added 2025/10/25 5:31 a.m.10 views

CVE-2025-11564 Tutor LMS – eLearning and online course solution <= 3.8.3 - Missing Authorization to Unauthenticated Payment Status Update

The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check while verifying webhook signatures on the "verifyAndCreateOrderData" function in all versions up to, and including, 3.8.3. This makes it...

5.3CVSS0.00266EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2025/10/25 12:0 a.m.5 views

PT-2025-43706

Name of the Vulnerable Software and Affected Versions Tutor LMS versions up to and including 3.8.3 Description The Tutor LMS plugin for WordPress is susceptible to unauthorized data modification. This occurs because of a missing capability check when verifying webhook signatures within the...

5.3CVSS5.8AI score0.00266EPSS
Exploits0References8
EUVD
EUVD
added 2025/10/03 8:7 p.m.3 views

EUVD-2025-20865

Malicious code in bioql PyPI...

7.5CVSS6.4AI score0.00152EPSS
Exploits0References2
Veracode
Veracode
added 2025/07/10 6:9 a.m.6 views

Improper Verification Of Cryptographic Signature

Clerk is vulnerable to improper verification of cryptographic signature. The vulnerability is due to the use of the verifyWebhook helper, which may accept improperly signed webhook events, allowing an attacker to forge webhook requests and potentially trigger unauthorized actions...

7.5CVSS6.2AI score0.00152EPSS
Exploits0References2Affected Software9
NVD
NVD
added 2025/07/09 6:15 p.m.4 views

CVE-2025-53548

Clerk helps developers build user management. Applications that use the verifyWebhook helper to verify incoming Clerk webhooks are susceptible to accepting improperly signed webhook events. The issue was resolved in @clerk/backend 2.4.0...

7.5CVSS0.00152EPSS
Exploits0References1
CVE
CVE
added 2025/07/09 5:12 p.m.30 views

CVE-2025-53548

CVE-2025-53548 concerns Clerk’s verifyWebhook() validation. Across connected documents, the issue is that the verifyWebhook() helper may accept improperly signed webhook events, enabling signature forgery. The vulnerability is mitigated by upgrading to @clerk/backend 2.4.0, which properly parses ...

7.5CVSS6.5AI score0.00152EPSS
Exploits0References1
Cvelist
Cvelist
added 2025/07/09 5:12 p.m.8 views

CVE-2025-53548 @clerk/backend Performs Insufficient Verification of Data Authenticity

Clerk helps developers build user management. Applications that use the verifyWebhook helper to verify incoming Clerk webhooks are susceptible to accepting improperly signed webhook events. The issue was resolved in @clerk/backend 2.4.0...

7.5CVSS0.00152EPSS
Exploits0References1
Rows per page
Query Builder