3449 matches found
Insufficient Session Expiration
Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Insufficient Session Expiration in the webhook authentication process. An attacker can continue to access protected webhook routes using a previously valid secret even after the secret ha...
GHSA-Q8FF-7FFM-M3R9 OpenClaw's Webhooks SecretRef route secret remains valid after rotation/reload
Summary OpenClaw webhooks allowed route secrets to be backed by SecretRef values, but cached the resolved secret for a route. After an operator rotated the underlying secret and ran openclaw secrets reload, the previous resolved webhook secret could remain valid until the plugin or gateway...
CVE-2026-43566
OpenClaw versions 2026.4.7 before 2026.4.14 contain a privilege escalation vulnerability where heartbeat owner downgrade logic skips webhook wake events carrying untrusted content. Attackers can exploit this by sending untrusted webhook wake events to preserve owner-like execution context when th...
CVE-2026-43566 OpenClaw 2026.4.7 < 2026.4.14 - Privilege Escalation via Untrusted Webhook Wake Events
OpenClaw versions 2026.4.7 before 2026.4.14 contain a privilege escalation vulnerability where heartbeat owner downgrade logic skips webhook wake events carrying untrusted content. Attackers can exploit this by sending untrusted webhook wake events to preserve owner-like execution context when th...
CVE-2026-43566 OpenClaw 2026.4.7 < 2026.4.14 - Privilege Escalation via Untrusted Webhook Wake Events
OpenClaw versions 2026.4.7 before 2026.4.14 contain a privilege escalation vulnerability where heartbeat owner downgrade logic skips webhook wake events carrying untrusted content. Attackers can exploit this by sending untrusted webhook wake events to preserve owner-like execution context when th...
EUVD-2026-27283
OpenClaw versions 2026.4.7 before 2026.4.14 contain a privilege escalation vulnerability where heartbeat owner downgrade logic skips webhook wake events carrying untrusted content. Attackers can exploit this by sending untrusted webhook wake events to preserve owner-like execution context when th...
CVE-2026-43566
OpenClaw is affected in versions 2026.4.7 through 2026.4.13 by a privilege escalation vulnerability caused by heartbeat owner downgrade logic that skips webhook wake events carrying untrusted content. An attacker can exploit this by sending untrusted webhook wake events to preserve an owner‑like ...
EUVD-2026-27257
OpenClaw versions 2026.4.9 before 2026.4.10 contain a denial of service vulnerability in the voice-call realtime WebSocket path that accepts oversized frames without proper validation. Remote attackers can send oversized WebSocket frames to cause service unavailability for deployments exposing th...
OpenClaw 安全漏洞
OpenClaw is an open-source intelligent artificial assistant developed by OpenClaw. The version of OpenClaw from 2026.4.7 to 2026.4.14 contains security vulnerabilities. These vulnerabilities stem from a logic that downgrades the heartbeat owner, causing it to skip Webhook wake-up events carrying...
PT-2026-37295
Name of the Vulnerable Software and Affected Versions WWBN AVideo versions prior to 29.0 Description An authenticated user can configure a donation-notification webhook URL to point to internal, loopback, or metadata hosts, such as http://127.0.0.1:8080/ or http://169.254.169.254/latest/. When...
CVE-2026-4100
The Paid Memberships Pro plugin for WordPress is vulnerable to unauthorized modification and disruption of Stripe webhook configuration in all versions up to, and including, 3.6.5. This is due to missing capability checks on the wpajaxpmprostripecreatewebhook, wpajaxpmprostripedeletewebhook, and...
Allocation of Resources Without Limits or Throttling
Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in the addWebhookAuthorization function. An attacker can cause excessive memory allocation by sending a large request body to the publicly accessible /api/v1/events/ endpoint,...
Allocation of Resources Without Limits or Throttling
Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in the addWebhookAuthorization function. An attacker can cause excessive memory allocation by sending a large request body to the publicly accessible /api/v1/events/ endpoint,...
Argo Vulnerable to Unauthenticated Memory Exhaustion (DoS) in Webhook Interceptor
Severity: Medium Component: Webhook Interceptor server/auth/webhook Vulnerability Type: Denial of Service DoS Description The Webhook Interceptor loads the entire request body into memory before authenticating the request or verifying its signature. This occurs on the /api/v1/events/ endpoint,...
GHSA-JCC8-G2Q4-9FXQ Argo Vulnerable to Unauthenticated Memory Exhaustion (DoS) in Webhook Interceptor
Severity: Medium Component: Webhook Interceptor server/auth/webhook Vulnerability Type: Denial of Service DoS Description The Webhook Interceptor loads the entire request body into memory before authenticating the request or verifying its signature. This occurs on the /api/v1/events/ endpoint,...
CVE-2026-42231
n8n is an open source workflow automation platform. Prior to versions 1.123.32, 2.17.4, and 2.18.1, a flaw in the xml2js library used to parse XML request bodies in n8n's webhook handler allowed prototype pollution via a crafted XML payload. An authenticated user with permission to create or modi...
CVE-2026-42231 n8n: Prototype Pollution in XML Webhook Body Parser Leads to RCE
n8n is an open source workflow automation platform. Prior to versions 1.123.32, 2.17.4, and 2.18.1, a flaw in the xml2js library used to parse XML request bodies in n8n's webhook handler allowed prototype pollution via a crafted XML payload. An authenticated user with permission to create or modi...
EUVD-2026-27102
n8n is an open source workflow automation platform. Prior to versions 1.123.32, 2.17.4, and 2.18.1, a flaw in the xml2js library used to parse XML request bodies in n8n's webhook handler allowed prototype pollution via a crafted XML payload. An authenticated user with permission to create or modi...
CVE-2026-42231
n8n (open source workflow automation platform) is affected by CVE-2026-42231 due to a prototype pollution flaw in the xml2js XML request body parser within the webhook handler. The vulnerability, exploitable by an authenticated user with permission to create or modify workflows, can be chained wi...
GHSA-P3PQ-HXMR-VQQR Prefect SSRF Bypass via DNS Rebinding in validate_restricted_url
A vulnerability has been found in PrefectHQ prefect up to 3.6.28.dev1. Affected by this vulnerability is the function validaterestrictedurl of the component Webhook/Notification. The manipulation leads to time-of-check time-of-use. It is possible to initiate the attack remotely. The attack is...