139 matches found
GHSA-275C-XPVC-JGFW OpenClaw: Slack and Zalo webhook secrets could remain active after secrets.reload
Summary Slack and Zalo webhook secrets could remain active after secrets.reload. In affected versions, a caller with an old webhook secret during the stale-secret window could keep accepting the previous secret after secrets.reload. This advisory is scoped to the named feature and configuration. ...
GHSA-8C59-HR4W-QG69 OpenClaw: Zalo allowFrom could bind to mutable display names
Summary Zalo allowFrom could bind to mutable display names. In affected versions, a Zalo friend or contact with mutable display metadata could match a policy entry through mutable display metadata. This advisory is scoped to the named feature and configuration. It does not change OpenClaw's...
CVE-2026-53857
OpenClaw before 2026.5.3 contains a policy enforcement vulnerability where Zalo contacts with mutable display metadata could match allowFrom policy entries through display name changes. Attackers with mutable display names could receive agent responses intended for different Zalo identities when...
CVE-2026-53857
OpenClaw before 2026.5.3 is vulnerable: the policy enforcement flaw allows Zalo display-name changes to influence allowFrom policy matching, causing attackers with mutable display names to receive responses intended for other Zalo identities when the feature is enabled. Affected product: OpenClaw...
PT-2026-49774
Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.5.3 Description A policy enforcement issue exists where Zalo contacts with mutable display metadata can match allowFrom policy entries by changing their display names. This allows attackers with mutable display...
EUVD-2026-36618
OpenClaw before 2026.4.22 contains a webhook secret revocation bypass vulnerability allowing callers with old Slack and Zalo webhook secrets to remain active after secrets.reload. Attackers can exploit the stale-secret window to deliver webhook events after operator-expected secret revocation,...
CVE-2026-53830
OpenClaw before 2026.4.22 contains a webhook secret revocation bypass vulnerability allowing callers with old Slack and Zalo webhook secrets to remain active after secrets.reload. Attackers can exploit the stale-secret window to deliver webhook events after operator-expected secret revocation,...
CVE-2026-53830 OpenClaw < 2026.4.22 - Webhook Secret Revocation Bypass via secrets.reload
OpenClaw before 2026.4.22 contains a webhook secret revocation bypass vulnerability allowing callers with old Slack and Zalo webhook secrets to remain active after secrets.reload. Attackers can exploit the stale-secret window to deliver webhook events after operator-expected secret revocation,...
CVE-2026-53830 OpenClaw < 2026.4.22 - Webhook Secret Revocation Bypass via secrets.reload
OpenClaw before 2026.4.22 contains a webhook secret revocation bypass vulnerability allowing callers with old Slack and Zalo webhook secrets to remain active after secrets.reload. Attackers can exploit the stale-secret window to deliver webhook events after operator-expected secret revocation,...
PT-2026-49034
Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.4.22 Description A webhook secret revocation bypass allows callers using outdated Slack and Zalo webhook secrets to remain active after the secrets.reload function is executed. This creates a stale-secret window...
CVE-2026-44116
OpenClaw before 2026.4.22 contains a server-side request forgery vulnerability in the Zalo plugin's sendPhoto function that fails to validate outbound photo URLs through the SSRF guard. Attackers can bypass SSRF protection by providing malicious photo URLs to the Zalo Bot API, enabling unauthoriz...
OpenClaw server-side request forgery vulnerability (CNVD-2026-19639)
OpenClaw is an intelligent artificial assistant open-sourced by OpenClaw. OpenClaw suffers from a server-side request forgery vulnerability that can be exploited by an attacker to gain unauthorized access to internal resources by providing a malicious photo URL to the Zalo Bot API to bypass SSRF...
GHSA-QVMW-H675-H7QG Duplicate Advisory: OpenClaw validates Zalo outbound photo URLs through the SSRF guard
Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-2hh7-c75g-qj2r. This link is maintained to preserve external references. Original Description OpenClaw before 2026.4.22 contains a server-side request forgery vulnerability in the Zalo plugin's sendPhoto functio...
EUVD-2026-28197
OpenClaw before 2026.4.22 contains a server-side request forgery vulnerability in the Zalo plugin's sendPhoto function that fails to validate outbound photo URLs through the SSRF guard. Attackers can bypass SSRF protection by providing malicious photo URLs to the Zalo Bot API, enabling unauthoriz...
Duplicate Advisory: OpenClaw validates Zalo outbound photo URLs through the SSRF guard
Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-2hh7-c75g-qj2r. This link is maintained to preserve external references. Original Description OpenClaw before 2026.4.22 contains a server-side request forgery vulnerability in the Zalo plugin's sendPhoto functio...
CVE-2026-44116
OpenClaw before 2026.4.22 contains a server-side request forgery vulnerability in the Zalo plugin's sendPhoto function that fails to validate outbound photo URLs through the SSRF guard. Attackers can bypass SSRF protection by providing malicious photo URLs to the Zalo Bot API, enabling unauthoriz...
CVE-2026-44116 OpenClaw < 2026.4.22 - Server-Side Request Forgery in Zalo Photo URL Validation
OpenClaw before 2026.4.22 contains a server-side request forgery vulnerability in the Zalo plugin's sendPhoto function that fails to validate outbound photo URLs through the SSRF guard. Attackers can bypass SSRF protection by providing malicious photo URLs to the Zalo Bot API, enabling unauthoriz...
CVE-2026-44116
OpenClaw before 2026.4.22 contains a server-side request forgery vulnerability in the Zalo plugin's sendPhoto function that fails to validate outbound photo URLs through the SSRF guard. Attackers can bypass SSRF protection by providing malicious photo URLs to the Zalo Bot API, enabling unauthoriz...
CVE-2026-44116
OpenClaw prior to version 2026.4.22 is affected by a server-side request forgery in the Zalo plugin’s sendPhoto function, failing to validate outbound photo URLs against the SSRF guard. An attacker can bypass SSRF protection by supplying malicious photo URLs to the Zalo Bot API, enabling unauthor...
CVE-2026-44116 OpenClaw < 2026.4.22 - Server-Side Request Forgery in Zalo Photo URL Validation
OpenClaw before 2026.4.22 contains a server-side request forgery vulnerability in the Zalo plugin's sendPhoto function that fails to validate outbound photo URLs through the SSRF guard. Attackers can bypass SSRF protection by providing malicious photo URLs to the Zalo Bot API, enabling unauthoriz...