Lucene search
K

58 matches found

OSV
OSV
added 2026/03/18 2:16 a.m.4 views

CVE-2026-22170

OpenClaw versions prior to 2026.2.22 with the optional BlueBubbles plugin contain an access control bypass vulnerability where empty allowFrom configuration causes dmPolicy pairing and allowlist restrictions to be ineffective. Remote attackers can send direct messages to BlueBubbles accounts by...

4.8CVSS5.9AI score
Exploits0References6
NVD
NVD
added 2026/03/18 2:16 a.m.4 views

CVE-2026-22170

OpenClaw versions prior to 2026.2.22 with the optional BlueBubbles plugin contain an access control bypass vulnerability where empty allowFrom configuration causes dmPolicy pairing and allowlist restrictions to be ineffective. Remote attackers can send direct messages to BlueBubbles accounts by...

6.5CVSS0.00255EPSS
Exploits0References6
Vulnrichment
Vulnrichment
added 2026/03/18 1:34 a.m.2 views

CVE-2026-22170 OpenClaw < 2026.2.22 BlueBubbles - Access Control Bypass via Empty allowFrom Configuration

OpenClaw versions prior to 2026.2.22 with the optional BlueBubbles plugin contain an access control bypass vulnerability where empty allowFrom configuration causes dmPolicy pairing and allowlist restrictions to be ineffective. Remote attackers can send direct messages to BlueBubbles accounts by...

6.5CVSS5.8AI score0.00255EPSS
Exploits0References6
ATTACKERKB
ATTACKERKB
added 2026/03/18 1:34 a.m.3 views

CVE-2026-22170

OpenClaw versions prior to 2026.2.22 with the optional BlueBubbles plugin contain an access control bypass vulnerability where empty allowFrom configuration causes dmPolicy pairing and allowlist restrictions to be ineffective. Remote attackers can send direct messages to BlueBubbles accounts by...

6.3CVSS5.8AI score0.00255EPSS
Exploits0References7
Cvelist
Cvelist
added 2026/03/18 1:34 a.m.31 views

CVE-2026-22170 OpenClaw < 2026.2.22 BlueBubbles - Access Control Bypass via Empty allowFrom Configuration

OpenClaw versions prior to 2026.2.22 with the optional BlueBubbles plugin contain an access control bypass vulnerability where empty allowFrom configuration causes dmPolicy pairing and allowlist restrictions to be ineffective. Remote attackers can send direct messages to BlueBubbles accounts by...

6.5CVSS0.00255EPSS
Exploits0References6
CVE
CVE
added 2026/03/18 1:34 a.m.13 views

CVE-2026-22170

OpenClaw versions prior to 2026.2.22 with the optional BlueBubbles plugin contain an access control bypass caused by an empty allowFrom configuration. This misconfiguration makes dmPolicy pairing and allowlist restrictions ineffective, enabling remote attackers to send direct messages to BlueBubb...

6.5CVSS5.8AI score0.00255EPSS
Exploits0References6Affected Software1
RedhatCVE
RedhatCVE
added 2026/03/07 1:44 a.m.4 views

CVE-2026-28448

OpenClaw versions 2026.1.29 prior to 2026.2.1 contain a vulnerability in the Twitch plugin must be installed and enabled in which it fails to enforce the allowFrom allowlist when allowedRoles is unset or empty, allowing unauthorized Twitch users to trigger agent dispatch. Remote attackers can...

9.4CVSS5.8AI score0.00444EPSS
Exploits1References1
NVD
NVD
added 2026/03/05 10:16 p.m.8 views

CVE-2026-28448

OpenClaw versions 2026.1.29 prior to 2026.2.1 contain a vulnerability in the Twitch plugin must be installed and enabled in which it fails to enforce the allowFrom allowlist when allowedRoles is unset or empty, allowing unauthorized Twitch users to trigger agent dispatch. Remote attackers can...

9.4CVSS0.00444EPSS
Exploits1References3
ATTACKERKB
ATTACKERKB
added 2026/03/05 9:59 p.m.3 views

CVE-2026-28448

OpenClaw versions 2026.1.29 prior to 2026.2.1 contain a vulnerability in the Twitch plugin must be installed and enabled in which it fails to enforce the allowFrom allowlist when allowedRoles is unset or empty, allowing unauthorized Twitch users to trigger agent dispatch. Remote attackers can...

6.3CVSS5.9AI score0.00444EPSS
Exploits1References4Affected Software1
Snyk
Snyk
added 2026/03/04 7:44 p.m.3 views

Incorrect Authorization

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Incorrect Authorization in the isAllowedParsedChatSender process. An attacker can gain unauthorized access to direct messaging or reaction features by sending messages from an untrusted...

6.5CVSS5.8AI score0.00255EPSS
Exploits0References2
Github Security Blog
Github Security Blog
added 2026/03/04 7:44 p.m.4 views

OpenClaw: BlueBubbles (optional plugin) pairing/allowlist mismatch when allowFrom is empty

Summary BlueBubbles is an optional OpenClaw channel plugin. A configuration-sensitive access-control mismatch allowed DM senders to be treated as authorized when dmPolicy was pairing or allowlist and allowFrom was empty/unset. Severity Rationale Medium Severity is set to medium because: - this...

6.5CVSS5.9AI score0.00255EPSS
Exploits0References8Affected Software1
OSV
OSV
added 2026/03/04 7:44 p.m.2 views

GHSA-JWF4-8WF4-JF2M OpenClaw: BlueBubbles (optional plugin) pairing/allowlist mismatch when allowFrom is empty

Summary BlueBubbles is an optional OpenClaw channel plugin. A configuration-sensitive access-control mismatch allowed DM senders to be treated as authorized when dmPolicy was pairing or allowlist and allowFrom was empty/unset. Severity Rationale Medium Severity is set to medium because: - this...

5.3CVSS5.9AI score0.00255EPSS
Exploits0References8
Snyk
Snyk
added 2026/03/04 6:58 p.m.5 views

Authorization Bypass Through User-Controlled Key

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key in the tools.elevated.allowFrom process. An attacker can gain unauthorized elevated access by providing broader identity signals than...

5.3CVSS5.8AI score
Exploits0References2
OSV
OSV
added 2026/03/04 6:58 p.m.3 views

GHSA-F6H3-846H-2R8W OpenClaw's elevated allowFrom accepted broader identity signals than specified within sender-scoped authorization

Summary In certain elevated-mode configurations, tools.elevated.allowFrom accepted broader identity signals than intended. The fix tightens matching to sender-scoped identity by default and makes mutable metadata matching explicit. Context OpenClaw is commonly used in 1:1 chats or trusted group...

5.3CVSS5.9AI score
Exploits0References3
OSV
OSV
added 2026/03/03 9:41 p.m.5 views

GHSA-J4XF-96QF-RX69 OpenClaw has a Feishu allowFrom authorization bypass via display-name collision

Summary Feishu allowlist authorization could be bypassed by display-name collision. Details channels.feishu.allowFrom is documented as an ID-based allowlist openid list, but Feishu policy matching accepted mutable sender display names in the same namespace. An attacker could set a display name...

6.5CVSS5.9AI score0.00205EPSS
Exploits0References5
Snyk
Snyk
added 2026/02/17 10:56 p.m.2 views

Incorrect Authorization

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Incorrect Authorization via the allowFrom. An attacker can gain unauthorized access by exploiting the acceptance of mutable email principals in authorization checks. Note: This is only...

3.3CVSS5.7AI score
Exploits0References3
OSV
OSV
added 2026/02/17 9:37 p.m.5 views

GHSA-33RQ-M5X2-FVGF OpenClaw Twitch allowFrom is not enforced in optional plugin, unauthorized chat users can trigger agent pipeline

Summary In the optional Twitch channel plugin extensions/twitch, allowFrom is documented as a hard allowlist of Twitch user IDs, but it was not enforced as a hard gate. If allowedRoles is unset or empty, the access control path defaulted to allow, so any Twitch user who could mention the bot coul...

7.3CVSS5.9AI score0.00444EPSS
Exploits1References6
Snyk
Snyk
added 2026/02/17 9:34 p.m.5 views

User Impersonation

Overview @openclaw/matrix is an OpenClaw Matrix channel plugin Affected versions of this package are vulnerable to User Impersonation via channels.matrix.dm.allowFrom. An attacker can impersonate an allowed identity and gain unauthorized access to the routing or agent pipeline by manipulating...

6.9CVSS5.8AI score0.00231EPSS
Exploits0References2
Rows per page
Query Builder