CVE-2026-6635

A security vulnerability has been detected in rowboatlabs rowboat up to 0.1.67. This impacts the function toolcall of the file apps/experimental/toolswebhook/app.py of the component toolswebhook. Such manipulation of the argument X-Tools-JWE leads to improper authentication. The attack may be...

PT-2026-33790

Vexa is an open-source, self-hostable meeting bot API and meeting transcription API. Prior to 0.10.0-260419-1910, the Vexa webhook feature allows authenticated users to configure an arbitrary URL that receives HTTP POST requests when meetings complete. The application performs no validation on th...

rowboat 安全漏洞

Rowboat is an open-source artificial intelligence-driven multi-agent builder developed by RowBoat Labs. Versions of Rowboat prior to 0.1.67 contained a security vulnerability. This vulnerability stemmed from improper handling of the parameter X-Tools-JWE in the toolcall function of the toolswebho...

Vexa 安全漏洞

Vexa is an open-source conference robot and real-time transcription API developed by Vexa.ai. Versions of Vexa prior to 0.10.0-260419-1910 contained security vulnerabilities. These vulnerabilities stemmed from a lack of validation in the Webhook URL, which could allow authenticated attackers to...

PT-2026-33757

A security vulnerability has been detected in rowboatlabs rowboat up to 0.1.67. This impacts the function tool call of the file apps/experimental/tools webhook/app.py of the component tools webhook. Such manipulation of the argument X-Tools-JWE leads to improper authentication. The attack may be...

BIT-GRAFANA-2025-12141 Grafana Alerting Editors can edit destination of webhooks they did not create

In Grafana's alerting system, users with edit permissions for a contact point, specifically the permissions “alert.notifications:write” or “alert.notifications.receivers:test” that are granted as part of the fixed role "Contact Point Writer", which is part of the basic role Editor - can edit...

Allocation of Resources Without Limits or Throttling

Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in the webhook process. An attacker can exhaust system memory by sending oversized POST payloads before signature validation. This is only exploitable if Stripe webhooks are enabled a...

CVE-2026-40481

monetr is a budgeting application for recurring expenses. In versions 1.12.3 and below, the public Stripe webhook endpoint buffers the entire request body into memory before validating the Stripe signature. A remote unauthenticated attacker can send oversized POST payloads to cause uncontrolled...

CVE-2026-40481

In monetr, versions 1.12.3 and earlier expose a denial-of-service risk where the public Stripe webhook endpoint buffers the entire request body into memory before validating the Stripe signature. An unauthenticated remote attacker can send oversized POST payloads to trigger uncontrolled memory gr...

CVE-2026-40481 monetr: Unauthenticated Stripe webhook reads attacker-sized request bodies before signature validation

monetr is a budgeting application for recurring expenses. In versions 1.12.3 and below, the public Stripe webhook endpoint buffers the entire request body into memory before validating the Stripe signature. A remote unauthenticated attacker can send oversized POST payloads to cause uncontrolled...

CVE-2026-40481 monetr: Unauthenticated Stripe webhook reads attacker-sized request bodies before signature validation

monetr is a budgeting application for recurring expenses. In versions 1.12.3 and below, the public Stripe webhook endpoint buffers the entire request body into memory before validating the Stripe signature. A remote unauthenticated attacker can send oversized POST payloads to cause uncontrolled...

GHSA-XH72-V6V9-MWHC OpenClaw: Feishu webhook and card-action validation now fail closed

Summary Feishu webhook mode accepted missing encryptKey configuration as valid and blank card-action callback tokens as usable lifecycle tokens. Together, those fail-open paths could allow unauthenticated webhook or card-action traffic to reach command dispatch in affected deployments. Impact A...

OpenClaw: Feishu webhook and card-action validation now fail closed

Summary Feishu webhook mode accepted missing encryptKey configuration as valid and blank card-action callback tokens as usable lifecycle tokens. Together, those fail-open paths could allow unauthenticated webhook or card-action traffic to reach command dispatch in affected deployments. Impact A...

GHSA-G2HM-779G-VM32 OpenClaw: Heartbeat owner downgrade missed untrusted webhook wake events

Summary Heartbeat owner downgrade missed untrusted webhook wake events. Affected Packages / Versions - Package: openclaw - Ecosystem: npm - Affected versions: = 2026.4.7 = 2026.4.14 Impact Heartbeat owner downgrade logic could skip webhook wake events carrying untrusted content, preserving...

Incorrect Authorization

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Incorrect Authorization due to the heartbeat owner downgrade not properly handling untrusted webhook wake events. An attacker can maintain elevated privileges by sending specially crafted...

OpenClaw: Heartbeat owner downgrade missed untrusted webhook wake events

Summary Heartbeat owner downgrade missed untrusted webhook wake events. Affected Packages / Versions - Package: openclaw - Ecosystem: npm - Affected versions: = 2026.4.7 = 2026.4.14 Impact Heartbeat owner downgrade logic could skip webhook wake events carrying untrusted content, preserving...

monetr 安全漏洞

Monetr is an open-source personal budget management application developed by Monetr. Versions of Monetr 1.12.3 and earlier contained a security vulnerability. This vulnerability stemmed from the Stripe webhook endpoint, which buffered the entire request body in memory, potentially leading to...

PT-2026-37021

Name of the Vulnerable Software and Affected Versions OpenClaw versions 2026.4.7 through 2026.4.13 Description A privilege escalation issue exists where the heartbeat owner downgrade logic fails to account for webhook wake events containing untrusted content. This allows attackers to send untrust...

PT-2026-37009

Name of the Vulnerable Software and Affected Versions OpenClaw version 2026.4.9 Description A denial of service issue exists in the voice-call realtime WebSocket path. The system accepts oversized frames without proper validation, allowing remote attackers to send these frames to cause service...

PT-2026-38242

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.4.15 Description An authentication bypass exists in the Feishu webhook and card-action validation. When the encryptKey configuration is missing or callback tokens are blank, the system fails open rather than...