Incorrect Authorization

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Incorrect Authorization in the sessions/:sessionKey/kill HTTP route. An attacker can terminate arbitrary sessions without proper authorization by sending a bearer-authenticated request th...

CVE-2026-31813

Supabase Auth is a JWT based API for managing users and issuing JWT tokens. Prior to 2.185.0, a vulnerability has been identified that allows an attacker to issue sessions for arbitrary users using specially crafted ID tokens when the Apple or Azure providers are enabled. The attacker issues a...

CVE-2026-31813 Supabase Auth has insecure Apple and Azure authentication with ID tokens

Supabase Auth is a JWT based API for managing users and issuing JWT tokens. Prior to 2.185.0, a vulnerability has been identified that allows an attacker to issue sessions for arbitrary users using specially crafted ID tokens when the Apple or Azure providers are enabled. The attacker issues a...

Better Auth's multi-session sign-out hook allows forged cookies to revoke arbitrary sessions

Summary A vulnerability was identified in the multi-session plugin for Better Auth, specifically in the /sign-out after-hook. The hook trusts raw multi-session cookies and forwards the extracted values directly to internalAdapter.deleteSessions without verifying the cookie signature. Because cook...

EUVD-2025-199765

Better Auth's multi-session sign-out hook allows forged cookies to revoke arbitrary sessions...

PT-2025-34858 · Unknown · Verifyuserbythrustedservice

Name of the Vulnerable Software and Affected Versions: versions prior to 2.3 Description: An insufficiently secured internal function allows session generation for arbitrary users. The decodeParam function checks the JWT but does not verify which signing algorithm was used. An attacker can use th...

CVE-2021-29368

Session fixation vulnerability in CuppaCMS thru commit 4c9b742b23b924cf4c1f943f48b278e06a17e297 on November 12, 2019 allows attackers to gain access to arbitrary user sessions...

CVE-2014-10400

The session.lua library in CGILua 5.0.x uses sequential session IDs, which makes it easier for remote attackers to predict the session ID and hijack arbitrary sessions. NOTE: this vulnerability was SPLIT from CVE-2014-2875...

CVE-2014-10399

The session.lua library in CGILua 5.1.x uses the same ID for each session, which allows remote attackers to hijack arbitrary sessions. NOTE: this vulnerability was SPLIT from CVE-2014-2875...

CVE-2014-2875

The session.lua library in CGILua 5.2 alpha 1 and 5.2 alpha 2 uses weak session IDs generated based on OS time, which allows remote attackers to hijack arbitrary sessions via a brute force attack. NOTE: CVE-2014-10399 and CVE-2014-10400 were SPLIT from this ID...

Vulnerability in Moodle 'message/index.php'

Moodle is a free, open-source e-learning software platform, also known as a course management system, learning management system or virtual learning environment. A security vulnerability exists in the Moodle 'message/index.php' script. Due to the program failing to properly check the...

Novell eDirectory <= 8.8.5 Cookie Hijack Vulnerability

Novell eDirectory is prone to a session cookie hijack vulnerability. SPDX-FileCopyrightText: 2010 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE =...