Lucene search
K

143 matches found

CVE
CVE
added 2026/05/06 7:49 p.m.19 views

CVE-2026-44110

OpenClaw is affected by CVE-2026-44110, with vulnerability present in versions before 2026.4.15. The issue is an authorization bypass in Matrix room control-command authorization that trusts DM pairing-store entries. Attackers with DM-paired sender IDs can execute room control commands without be...

8.8CVSS5.9AI score0.00288EPSS
Exploits0References4Affected Software1
CVE
CVE
added 2026/04/23 9:58 p.m.16 views

CVE-2026-41348

OpenClaw before 2026.3.31 contains an authorization bypass vulnerability in Discord slash command and autocomplete paths that fail to enforce group DM channel allowlist restrictions. Authorized Discord users can bypass channel restrictions by invoking slash commands, allowing access to restricted...

5.4CVSS5.8AI score0.00177EPSS
Exploits0References3Affected Software1
Positive Technologies
Positive Technologies
added 2026/04/20 12:0 a.m.7 views

PT-2026-33868

OpenClaw versions 2026.3.22 before 2026.3.31 contain a signature verification bypass vulnerability in the Nostr DM ingress path that allows pairing challenges to be issued before event signature validation. An unauthenticated remote attacker can send forged direct messages to create pending pairi...

6.9CVSS5.8AI score0.00253EPSS
Exploits0References4
NVD
NVD
added 2026/04/10 5:17 p.m.9 views

CVE-2026-35647

OpenClaw before 2026.3.25 contains an access control vulnerability where verification notices bypass DM policy checks and reply to unpaired peers. Attackers can send verification notices to users outside allowed direct message policies by exploiting insufficient access validation before message...

6.9CVSS0.00285EPSS
Exploits0References3
ATTACKERKB
ATTACKERKB
added 2026/04/10 4:3 p.m.1 views

CVE-2026-35661

OpenClaw before 2026.3.25 contains an authorization bypass vulnerability in Telegram callback query handling that allows attackers to mutate session state without satisfying normal DM pairing requirements. Remote attackers can exploit weaker callback-only authorization in direct messages to bypas...

6.9CVSS5.8AI score0.00285EPSS
Exploits0References4
ATTACKERKB
ATTACKERKB
added 2026/04/10 4:3 p.m.2 views

CVE-2026-35647

OpenClaw before 2026.3.25 contains an access control vulnerability where verification notices bypass DM policy checks and reply to unpaired peers. Attackers can send verification notices to users outside allowed direct message policies by exploiting insufficient access validation before message...

6.9CVSS5.8AI score0.00285EPSS
Exploits0References4
EUVD
EUVD
added 2026/04/10 4:3 p.m.3 views

EUVD-2026-21440

OpenClaw before 2026.3.25 contains an access control vulnerability where verification notices bypass DM policy checks and reply to unpaired peers. Attackers can send verification notices to users outside allowed direct message policies by exploiting insufficient access validation before message...

6.9CVSS5.8AI score0.00285EPSS
Exploits0References3
CVE
CVE
added 2026/04/10 4:3 p.m.12 views

CVE-2026-35647

OpenClaw before 2026.3.25 contains an access control flaw: verification notices bypass DM policy checks and reply to unpaired peers due to insufficient access validation before transmission. This could allow sending verification notices to users outside allowed direct message policies. Root cause...

6.9CVSS5.8AI score0.00285EPSS
Exploits0References3Affected Software1
OSV
OSV
added 2026/04/10 12:30 a.m.1 views

GHSA-P6J4-WVMC-VX2H Duplicate Advisory: OpenClaw: Tlon cite expansion happens before channel and DM authorization is complete

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-vfg3-pqpq-93m4. This link is maintained to preserve external references. Original Description OpenClaw before 2026.3.22 performs cite expansion before completing channel and DM authorization checks, allowing cit...

7.3CVSS5.7AI score0.00247EPSS
Exploits0References6
Github Security Blog
Github Security Blog
added 2026/04/10 12:30 a.m.7 views

Duplicate Advisory: OpenClaw Bypasses DM Policy Separation via Synology Chat Webhook Path Collision

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-rqp8-q22p-5j9q This link is maintained to preserve external references. Original Description OpenClaw before 2026.3.22 contains a webhook path route replacement vulnerability in the Synology Chat extension that...

6.5CVSS5.8AI score0.00245EPSS
Exploits0References6Affected Software1
Positive Technologies
Positive Technologies
added 2026/04/10 12:0 a.m.5 views

PT-2026-31959

OpenClaw before 2026.3.25 contains an access control vulnerability where verification notices bypass DM policy checks and reply to unpaired peers. Attackers can send verification notices to users outside allowed direct message policies by exploiting insufficient access validation before message...

6.9CVSS5.8AI score0.00285EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/04/10 12:0 a.m.4 views

PT-2026-31975

OpenClaw before 2026.3.25 contains an authentication bypass vulnerability in raw card send surface that allows unpaired recipients to mint legacy callback payloads. Attackers can send raw card commands to bypass DM pairing restrictions and reach callback handling without proper authorization...

6.9CVSS5.8AI score0.00276EPSS
Exploits0References4
CNNVD
CNNVD
added 2026/04/10 12:0 a.m.8 views

OpenClaw 安全漏洞

OpenClaw is an open-source intelligent artificial assistant developed by OpenClaw. Versions of OpenClaw prior to 2026.3.25 contained security vulnerabilities. These vulnerabilities stemmed from authorization bypasses in the Telegram inquiry processing mechanism, which could allow remote attackers...

6.9CVSS5.8AI score0.00285EPSS
Exploits0References3
Vulnrichment
Vulnrichment
added 2026/04/09 9:27 p.m.1 views

CVE-2026-35637 OpenClaw < 2026.3.22 - Premature Cite Expansion Before Authorization in Channel and DM

OpenClaw before 2026.3.22 performs cite expansion before completing channel and DM authorization checks, allowing cite work and content handling prior to final auth decisions. Attackers can exploit this timing vulnerability to access or manipulate content before proper authorization validation...

7.3CVSS5.8AI score0.00247EPSS
Exploits0References5
CVE
CVE
added 2026/04/09 9:27 p.m.13 views

CVE-2026-35637

OpenClaw prior to version 2026.3.22 is affected by a timing vulnerability where cite expansion occurs before channel and DM authorization checks complete. This allows cite work and content handling before final authorization decisions, enabling an attacker to access or manipulate content earlier ...

7.3CVSS5.9AI score0.00247EPSS
Exploits0References5Affected Software1
ATTACKERKB
ATTACKERKB
added 2026/04/09 9:27 p.m.2 views

CVE-2026-35637

OpenClaw before 2026.3.22 performs cite expansion before completing channel and DM authorization checks, allowing cite work and content handling prior to final auth decisions. Attackers can exploit this timing vulnerability to access or manipulate content before proper authorization validation...

7.3CVSS5.9AI score0.00247EPSS
Exploits0References6
Positive Technologies
Positive Technologies
added 2026/04/09 12:0 a.m.6 views

PT-2026-31770

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.3.22 Description OpenClaw before version 2026.3.22 contains a webhook path route replacement vulnerability in the Synology Chat extension. This allows attackers to collapse multi-account configurations onto shar...

6.3CVSS5.8AI score0.00245EPSS
Exploits0References8
Positive Technologies
Positive Technologies
added 2026/04/09 12:0 a.m.4 views

PT-2026-31772

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.3.22 Description OpenClaw before version 2026.3.22 performs cite expansion before completing channel and direct message DM authorization checks. This allows cite work and content handling to occur before final...

7.3CVSS5.7AI score0.00247EPSS
Exploits0References9
CNNVD
CNNVD
added 2026/04/09 12:0 a.m.8 views

OpenClaw 安全漏洞

OpenClaw is an open-source intelligent artificial assistant developed by OpenClaw. Versions of OpenClaw prior to 2026.3.22 contained security vulnerabilities. These vulnerabilities stemmed from the execution of reference extensions before channel and DM authorization checks, which could allow...

7.3CVSS5.8AI score0.00247EPSS
Exploits0References5
OSV
OSV
added 2026/03/29 3:50 p.m.2 views

GHSA-J4C9-W69R-CW33 OpenClaw: Telegram DM-Scoped Inline Button Callbacks Bypass DM Pairing and Mutate Session State

Summary Telegram DM-Scoped Inline Button Callbacks Bypass DM Pairing and Mutate Session State Affected Packages / Versions - Package: openclaw - Affected versions: = 2026.3.24 - First patched version: 2026.3.25 - Latest published npm version at verification time: 2026.3.24 Details Telegram callba...

6.9CVSS5.9AI score0.00285EPSS
Exploits0References5
Rows per page
Query Builder