Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in
🔥 Daily Hot!
💪🏽 CPE Enhanced Advisories
🕶 Shadow Exploits
🕵🏼 Vulners CPE
🔐 Security news
💻 Exploit updates
📑 Blogs review
🐧 Linux vulnerabilities
🐞 Bugbounty
🤖 AI High Score
📰 CVE Feed
show all

6 matches found

EUVD
EUVDadded 2026/03/31 3:31 p.m.1 views

EUVD-2026-17437

OpenClaw before 2026.3.28 contains a privilege escalation vulnerability in the /pair approve command path that fails to forward caller scopes into the core approval check. A caller with pairing privileges but without admin privileges can approve pending device requests asking for broader scopes...

8.6CVSS5.9AI score0.00018EPSS
Exploits0References4
Github Security Blog
Github Security Blogadded 2026/03/31 12:31 p.m.3 views

Duplicate Advisory: OpenClaw: Plugin subagent routes could bypass gateway authorization with synthetic admin scopes

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-xw77-45gv-p728. This link is maintained to preserve external references. Original Description OpenClaw versions 2026.3.7 before 2026.3.11 contain an authorization bypass vulnerability where plugin subagent route...

9.8CVSS5.9AI score0.00036EPSS
Exploits0References4Affected Software1
CVE
CVEadded 2026/03/31 11:17 a.m.3 views

CVE-2026-32916

Summary (concrete details): CVE-2026-32916 affects OpenClaw 2026.3.7 prior to 2026.3.11. The vulnerability is an authorization bypass in plugin subagent routes, where these routes execute gateway methods through a synthetic operator client with broad administrative scopes. Impact: remote unauthen...

9.8CVSS6AI score0.00036EPSS
Exploits0References2Affected Software1
Cvelist
Cvelistadded 2026/03/20 2:48 p.m.17 views

CVE-2026-22172 OpenClaw < 2026.3.12 - Scope Elevation in WebSocket Shared-Auth Connections

OpenClaw versions prior to 2026.3.12 contain an authorization bypass vulnerability in the WebSocket connect path that allows shared-token or password-authenticated connections to self-declare elevated scopes without server-side binding. Attackers can exploit this logic flaw to present unauthorize...

9.9CVSS0.00021EPSS
Exploits0References2
Github Security Blog
Github Security Blogadded 2026/03/13 3:47 p.m.2 views

OpenClaw: Plugin subagent routes could bypass gateway authorization with synthetic admin scopes

Summary In affected versions of openclaw, the plugin subagent runtime dispatched gateway methods through a synthetic operator client that always carried broad administrative scopes. Plugin-owned HTTP routes using auth: "plugin" could therefore trigger admin-only gateway actions without normal...

9.8CVSS5.8AI score0.00036EPSS
Exploits0References5Affected Software1
OSV
OSVadded 2026/03/13 3:47 p.m.1 views

GHSA-XW77-45GV-P728 OpenClaw: Plugin subagent routes could bypass gateway authorization with synthetic admin scopes

Summary In affected versions of openclaw, the plugin subagent runtime dispatched gateway methods through a synthetic operator client that always carried broad administrative scopes. Plugin-owned HTTP routes using auth: "plugin" could therefore trigger admin-only gateway actions without normal...

9.4CVSS5.8AI score0.00036EPSS
Exploits0References5
Rows per page
Query Builder