35 matches found
CVE-2026-34506 OpenClaw < 2026.3.8 - Sender Allowlist Bypass in Microsoft Teams Plugin via Route Allowlist Configuration
OpenClaw before 2026.3.8 contains a sender allowlist bypass vulnerability in its Microsoft Teams plugin that allows unauthorized senders to bypass intended authorization checks. When a team/channel route allowlist is configured with an empty groupAllowFrom parameter, the message handler synthesiz...
PT-2026-29239
OpenClaw before 2026.3.8 contains a sender allowlist bypass vulnerability in its Microsoft Teams plugin that allows unauthorized senders to bypass intended authorization checks. When a team/channel route allowlist is configured with an empty groupAllowFrom parameter, the message handler synthesiz...
EUVD-2026-17007
OpenClaw before 2026.3.12 contains an authorization bypass vulnerability where Feishu reaction events with omitted chattype are misclassified as p2p conversations instead of group chats. Attackers can exploit this misclassification to bypass groupAllowFrom and requireMention protections in group...
CVE-2026-32924
OpenClaw before 2026.3.12 is affected by an authorization bypass vulnerability where Feishu reaction events with omitted chat_type are misclassified as p2p conversations rather than group chats. This misclassification allows attackers to bypass groupAllowFrom and requireMention protections for re...
CVE-2026-32028
OpenClaw versions prior to 2026.2.25 fail to enforce dmPolicy and allowFrom authorization checks on Discord direct-message reaction notifications, allowing non-allowlisted users to enqueue reaction-derived system events. Attackers can exploit this inconsistency by reacting to bot-authored DM...
CVE-2026-32005
OpenClaw versions prior to 2026.2.25 fail to enforce sender authorization checks for interactive callbacks including blockaction, viewsubmission, and viewclosed in shared workspace deployments. Unauthorized workspace members can bypass allowFrom restrictions and channel user allowlists to enqueue...
EUVD-2026-13261
OpenClaw versions prior to 2026.2.25 fail to enforce sender authorization checks for interactive callbacks including blockaction, viewsubmission, and viewclosed in shared workspace deployments. Unauthorized workspace members can bypass allowFrom restrictions and channel user allowlists to enqueue...
EUVD-2026-12712
OpenClaw versions prior to 2026.2.22 with the optional BlueBubbles plugin contain an access control bypass vulnerability where empty allowFrom configuration causes dmPolicy pairing and allowlist restrictions to be ineffective. Remote attackers can send direct messages to BlueBubbles accounts by...
CVE-2026-28448 OpenClaw 2026.1.29 < 2026.2.1 - Authorization Bypass in Twitch Plugin allowFrom Access Control
OpenClaw versions 2026.1.29 prior to 2026.2.1 contain a vulnerability in the Twitch plugin must be installed and enabled in which it fails to enforce the allowFrom allowlist when allowedRoles is unset or empty, allowing unauthorized Twitch users to trigger agent dispatch. Remote attackers can...
CVE-2026-28448
OpenClaw OpenClaw (Twitch plugin) versions 2026.1.29 through 2026.2.0 are affected. The vulnerability resides in the Twitch plugin’s access-control logic (checkTwitchAccessControl in extensions/twitch/src/access-control.ts): when allowFrom is configured and allowedRoles is unset or empty, the cod...
CVE-2026-28448 OpenClaw 2026.1.29 < 2026.2.1 - Authorization Bypass in Twitch Plugin allowFrom Access Control
OpenClaw versions 2026.1.29 prior to 2026.2.1 contain a vulnerability in the Twitch plugin must be installed and enabled in which it fails to enforce the allowFrom allowlist when allowedRoles is unset or empty, allowing unauthorized Twitch users to trigger agent dispatch. Remote attackers can...
CVE-2026-28448 OpenClaw 2026.1.29 < 2026.2.1 - Authorization Bypass in Twitch Plugin allowFrom Access Control
OpenClaw versions 2026.1.29 prior to 2026.2.1 contain a vulnerability in the Twitch plugin must be installed and enabled in which it fails to enforce the allowFrom allowlist when allowedRoles is unset or empty, allowing unauthorized Twitch users to trigger agent dispatch. Remote attackers can...
GHSA-354R-7MFH-7RH2 OpenClaw: Discord DM reaction ingress missed dmPolicy/allowFrom checks in restricted setups
Summary In OpenClaw = 2026.2.25 Fix Commits - aedf62ac7e669a89c7b299201bf6537dc6b12e0e Release Process Note patchedversions is pre-set to the release 2026.2.25 so after npm release the advisory is published. Thanks @tdjackey for reporting...
OpenClaw Twitch allowFrom is not enforced in optional plugin, unauthorized chat users can trigger agent pipeline
Summary In the optional Twitch channel plugin extensions/twitch, allowFrom is documented as a hard allowlist of Twitch user IDs, but it was not enforced as a hard gate. If allowedRoles is unset or empty, the access control path defaulted to allow, so any Twitch user who could mention the bot coul...
InVision: X-Frame-Options Header Not Set
Hi , Wamim Here With a dising issue iMPACT : X-Frame-Options header is not included in the HTTP response to protect against 'ClickJacking' attacks. Soliution : Most modern Web browsers support the X-Frame-Options HTTP header. Ensure it's set on all web pages returned by your site if you expect th...