Lucene search
K

35 matches found

Cvelist
Cvelist
added 2026/03/31 11:17 a.m.24 views

CVE-2026-34506 OpenClaw < 2026.3.8 - Sender Allowlist Bypass in Microsoft Teams Plugin via Route Allowlist Configuration

OpenClaw before 2026.3.8 contains a sender allowlist bypass vulnerability in its Microsoft Teams plugin that allows unauthorized senders to bypass intended authorization checks. When a team/channel route allowlist is configured with an empty groupAllowFrom parameter, the message handler synthesiz...

4.3CVSS0.00267EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/03/31 12:0 a.m.12 views

PT-2026-29239

OpenClaw before 2026.3.8 contains a sender allowlist bypass vulnerability in its Microsoft Teams plugin that allows unauthorized senders to bypass intended authorization checks. When a team/channel route allowlist is configured with an empty groupAllowFrom parameter, the message handler synthesiz...

7.5CVSS5.9AI score0.00025EPSS
Exploits0References4
EUVD
EUVD
added 2026/03/29 3:30 p.m.3 views

EUVD-2026-17007

OpenClaw before 2026.3.12 contains an authorization bypass vulnerability where Feishu reaction events with omitted chattype are misclassified as p2p conversations instead of group chats. Attackers can exploit this misclassification to bypass groupAllowFrom and requireMention protections in group...

9.8CVSS5.9AI score0.00309EPSS
Exploits0References3
CVE
CVE
added 2026/03/29 12:44 p.m.13 views

CVE-2026-32924

OpenClaw before 2026.3.12 is affected by an authorization bypass vulnerability where Feishu reaction events with omitted chat_type are misclassified as p2p conversations rather than group chats. This misclassification allows attackers to bypass groupAllowFrom and requireMention protections for re...

9.8CVSS5.9AI score0.00309EPSS
Exploits0References2Affected Software1
RedhatCVE
RedhatCVE
added 2026/03/26 3:11 p.m.4 views

CVE-2026-32028

OpenClaw versions prior to 2026.2.25 fail to enforce dmPolicy and allowFrom authorization checks on Discord direct-message reaction notifications, allowing non-allowlisted users to enqueue reaction-derived system events. Attackers can exploit this inconsistency by reacting to bot-authored DM...

6.3CVSS5.8AI score0.00198EPSS
Exploits0References1
NVD
NVD
added 2026/03/19 10:16 p.m.5 views

CVE-2026-32005

OpenClaw versions prior to 2026.2.25 fail to enforce sender authorization checks for interactive callbacks including blockaction, viewsubmission, and viewclosed in shared workspace deployments. Unauthorized workspace members can bypass allowFrom restrictions and channel user allowlists to enqueue...

8.1CVSS0.00283EPSS
Exploits0References3
EUVD
EUVD
added 2026/03/19 10:6 p.m.13 views

EUVD-2026-13261

OpenClaw versions prior to 2026.2.25 fail to enforce sender authorization checks for interactive callbacks including blockaction, viewsubmission, and viewclosed in shared workspace deployments. Unauthorized workspace members can bypass allowFrom restrictions and channel user allowlists to enqueue...

7.6CVSS5.8AI score0.00283EPSS
Exploits0References3
EUVD
EUVD
added 2026/03/18 1:34 a.m.3 views

EUVD-2026-12712

OpenClaw versions prior to 2026.2.22 with the optional BlueBubbles plugin contain an access control bypass vulnerability where empty allowFrom configuration causes dmPolicy pairing and allowlist restrictions to be ineffective. Remote attackers can send direct messages to BlueBubbles accounts by...

6.3CVSS5.8AI score0.00255EPSS
Exploits0References6
Cvelist
Cvelist
added 2026/03/05 9:59 p.m.31 views

CVE-2026-28448 OpenClaw 2026.1.29 < 2026.2.1 - Authorization Bypass in Twitch Plugin allowFrom Access Control

OpenClaw versions 2026.1.29 prior to 2026.2.1 contain a vulnerability in the Twitch plugin must be installed and enabled in which it fails to enforce the allowFrom allowlist when allowedRoles is unset or empty, allowing unauthorized Twitch users to trigger agent dispatch. Remote attackers can...

7.3CVSS0.00444EPSS
Exploits1References3
CVE
CVE
added 2026/03/05 9:59 p.m.19 views

CVE-2026-28448

OpenClaw OpenClaw (Twitch plugin) versions 2026.1.29 through 2026.2.0 are affected. The vulnerability resides in the Twitch plugin’s access-control logic (checkTwitchAccessControl in extensions/twitch/src/access-control.ts): when allowFrom is configured and allowedRoles is unset or empty, the cod...

9.4CVSS5.9AI score0.00444EPSS
Exploits1References3Affected Software1
Vulnrichment
Vulnrichment
added 2026/03/05 9:59 p.m.2 views

CVE-2026-28448 OpenClaw 2026.1.29 < 2026.2.1 - Authorization Bypass in Twitch Plugin allowFrom Access Control

OpenClaw versions 2026.1.29 prior to 2026.2.1 contain a vulnerability in the Twitch plugin must be installed and enabled in which it fails to enforce the allowFrom allowlist when allowedRoles is unset or empty, allowing unauthorized Twitch users to trigger agent dispatch. Remote attackers can...

7.3CVSS5.8AI score0.00444EPSS
Exploits1References3
OSV
OSV
added 2026/03/05 9:59 p.m.3 views

CVE-2026-28448 OpenClaw 2026.1.29 < 2026.2.1 - Authorization Bypass in Twitch Plugin allowFrom Access Control

OpenClaw versions 2026.1.29 prior to 2026.2.1 contain a vulnerability in the Twitch plugin must be installed and enabled in which it fails to enforce the allowFrom allowlist when allowedRoles is unset or empty, allowing unauthorized Twitch users to trigger agent dispatch. Remote attackers can...

6.3CVSS6AI score0.00444EPSS
Exploits1References5
OSV
OSV
added 2026/03/03 9:25 p.m.4 views

GHSA-354R-7MFH-7RH2 OpenClaw: Discord DM reaction ingress missed dmPolicy/allowFrom checks in restricted setups

Summary In OpenClaw = 2026.2.25 Fix Commits - aedf62ac7e669a89c7b299201bf6537dc6b12e0e Release Process Note patchedversions is pre-set to the release 2026.2.25 so after npm release the advisory is published. Thanks @tdjackey for reporting...

5.3CVSS6AI score0.00198EPSS
Exploits0References5
Github Security Blog
Github Security Blog
added 2026/02/17 9:37 p.m.11 views

OpenClaw Twitch allowFrom is not enforced in optional plugin, unauthorized chat users can trigger agent pipeline

Summary In the optional Twitch channel plugin extensions/twitch, allowFrom is documented as a hard allowlist of Twitch user IDs, but it was not enforced as a hard gate. If allowedRoles is unset or empty, the access control path defaulted to allow, so any Twitch user who could mention the bot coul...

9.4CVSS5.9AI score0.00444EPSS
Exploits1References6Affected Software1
Hacker One
Hacker One
added 2015/10/22 5:46 a.m.27 views

InVision: X-Frame-Options Header Not Set

Hi , Wamim Here With a dising issue iMPACT : X-Frame-Options header is not included in the HTTP response to protect against 'ClickJacking' attacks. Soliution : Most modern Web browsers support the X-Frame-Options HTTP header. Ensure it's set on all web pages returned by your site if you expect th...

6.6AI score
Exploits0
Rows per page
Query Builder