29 matches found
CVE-2026-35649
OpenClaw before 2026.3.22 contains a settings reconciliation vulnerability that allows attackers to bypass intended deny-all revocations by exploiting empty allowlist handling. The vulnerability treats explicit empty allowlists as unset during reconciliation, silently undoing intended access...
CVE-2026-35649
OpenClaw before 2026.3.22 contains a settings reconciliation vulnerability that allows attackers to bypass intended deny-all revocations by exploiting empty allowlist handling. The vulnerability treats explicit empty allowlists as unset during reconciliation, silently undoing intended access...
CVE-2026-35649
OpenClaw components affected by CVE-2026-35649: OpenClaw prior to version 2026.3.22. The issue is a settings reconciliation vulnerability where explicit empty allowlists are treated as unset during reconciliation, silently undoing intended deny-all revocations and restoring previously revoked per...
CVE-2026-35649 OpenClaw < 2026.3.22 - Settings Reconciliation Bypass via Empty Allowlist
OpenClaw before 2026.3.22 contains a settings reconciliation vulnerability that allows attackers to bypass intended deny-all revocations by exploiting empty allowlist handling. The vulnerability treats explicit empty allowlists as unset during reconciliation, silently undoing intended access...
PT-2026-31960
OpenClaw before 2026.3.22 contains a settings reconciliation vulnerability that allows attackers to bypass intended deny-all revocations by exploiting empty allowlist handling. The vulnerability treats explicit empty allowlists as unset during reconciliation, silently undoing intended access...
OpenClaw: Tlon settings empty-allowlist reconciliation bypassed intended revocation
Summary Tlon settings reconciliation treated explicit empty allowlists as unset, which could silently undo an intended deny-all revocation. Affected Packages / Versions - Package: openclaw npm - Affected: = 2026.3.22 - Latest released tag checked: v2026.3.23-2...
GHSA-PW7H-9G6P-C378 OpenClaw: Tlon settings empty-allowlist reconciliation bypassed intended revocation
Summary Tlon settings reconciliation treated explicit empty allowlists as unset, which could silently undo an intended deny-all revocation. Affected Packages / Versions - Package: openclaw npm - Affected: = 2026.3.22 - Latest released tag checked: v2026.3.23-2...
Incorrect Authorization
Overview @openclaw/tlon is an OpenClaw Tlon/Urbit channel plugin Affected versions of this package are vulnerable to Incorrect Authorization in the reconciliation process for Tlon settings when explicit empty allowlists are treated as unset. An attacker can bypass intended access revocation by...
Incorrect Authorization
Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Incorrect Authorization in the reconciliation process for Tlon settings when explicit empty allowlists are treated as unset. An attacker can bypass intended access revocation by exploitin...
Linux Distros Unpatched Vulnerability : CVE-2019-13031
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - LemonLDAP::NG before 1.9.20 has an XML External Entity XXE issue when submitting a notification to the notification server. By default, the notification server ...
CVE-2019-13031
LemonLDAP::NG before 1.9.20 has an XML External Entity XXE issue when submitting a notification to the notification server. By default, the notification server is not enabled and has a "deny all" rule...
CVE-2019-14681
The Deny All Firewall plugin before 1.1.7 for WordPress allows wp-admin/options-general.php?page=dafsettingsremove=true CSRF...
SUSE CVE-2018-12550
When Eclipse Mosquitto version 1.0 to 1.5.5 inclusive is configured to use an ACL file, and that ACL file is empty, or contains only comments or blank lines, then Mosquitto will treat this as though no ACL file has been defined and use a default allow policy. The new behaviour is to have an empty...
GHSA-G54H-M393-CPWQ devices resource list treated as a blacklist by default
Impact Contrary to the OCI runtime specification, runc's implementation of the linux.resources.devices list was a black-list by default. This means that users who created their own config.json objects and didn't prefix a deny-all rule "allow": false, "permissions": "rwm" or equivalent were not...
GHSA-HHX9-P69V-CX2J Authentication bypass in Apache Airflow
The previous default setting for Airflow's Experimental API was to allow all API requests without authentication, but this poses security risks to users who miss this fact. From Airflow 1.10.11 the default has been changed to deny all requests by default and is documented at...
Authentication bypass in Apache Airflow
The previous default setting for Airflow's Experimental API was to allow all API requests without authentication, but this poses security risks to users who miss this fact. From Airflow 1.10.11 the default has been changed to deny all requests by default and is documented at...
PYSEC-2020-18
The previous default setting for Airflow's Experimental API was to allow all API requests without authentication, but this poses security risks to users who miss this fact. From Airflow 1.10.11 the default has been changed to deny all requests by default and is documented at...
PYSEC-2020-18
The previous default setting for Airflow's Experimental API was to allow all API requests without authentication, but this poses security risks to users who miss this fact. From Airflow 1.10.11 the default has been changed to deny all requests by default and is documented at...
WordPress Deny All Firewall plugin cross-site request forgery vulnerability
WordPress is a set of WordPress Software Foundation's blogging platform developed using the PHP language, which supports personal blog sites on servers with PHP and MySQL. A cross-site request forgery vulnerability exists in versions of the WordPress Deny All Firewall plugin prior to 1.1.7, which...
CVE-2019-14681
The Deny All Firewall plugin before 1.1.7 for WordPress allows wp-admin/options-general.php?page=dafsettings&dafremove=true CSRF...