755 matches found
CVE-2026-28448
OpenClaw versions 2026.1.29 prior to 2026.2.1 contain a vulnerability in the Twitch plugin must be installed and enabled in which it fails to enforce the allowFrom allowlist when allowedRoles is unset or empty, allowing unauthorized Twitch users to trigger agent dispatch. Remote attackers can...
EUVD-2026-9898
OpenClaw versions 2026.1.29 prior to 2026.2.1 contain a vulnerability in the Twitch plugin must be installed and enabled in which it fails to enforce the allowFrom allowlist when allowedRoles is unset or empty, allowing unauthorized Twitch users to trigger agent dispatch. Remote attackers can...
CVE-2026-28448 OpenClaw 2026.1.29 < 2026.2.1 - Authorization Bypass in Twitch Plugin allowFrom Access Control
OpenClaw versions 2026.1.29 prior to 2026.2.1 contain a vulnerability in the Twitch plugin must be installed and enabled in which it fails to enforce the allowFrom allowlist when allowedRoles is unset or empty, allowing unauthorized Twitch users to trigger agent dispatch. Remote attackers can...
CVE-2026-28448
CVE-2026-28448 affects OpenClaw, Twitch plugin. OpenClaw versions 2026.1.29 prior to 2026.2.1 are vulnerable due to failure to enforce the allowFrom allowlist when allowedRoles is unset or empty. This lets unauthorized Twitch users mention the bot in chat to bypass access control and trigger the ...
CVE-2026-28448 OpenClaw 2026.1.29 < 2026.2.1 - Authorization Bypass in Twitch Plugin allowFrom Access Control
OpenClaw versions 2026.1.29 prior to 2026.2.1 contain a vulnerability in the Twitch plugin must be installed and enabled in which it fails to enforce the allowFrom allowlist when allowedRoles is unset or empty, allowing unauthorized Twitch users to trigger agent dispatch. Remote attackers can...
Incorrect Authorization
Overview @openclaw/zalo is an OpenClaw Zalo channel plugin Affected versions of this package are vulnerable to Incorrect Authorization in the GROUP message dispatch process. An attacker can gain unauthorized access to restricted group message handling by sending GROUP messages from a sender not...
OpenClaw's exec allowlist wrapper analysis did not unwrap env/shell dispatch chains
Summary system.run exec allowlist analysis treated wrapper binaries as the effective executable and did not fully unwrap env/shell-dispatch wrappers. This allowed wrapper-smuggled payloads for example env bash -lc ... to satisfy an allowlist entry for the wrapper while executing non-allowlisted...
Incorrect Authorization
Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Incorrect Authorization via the system.run process. An attacker can execute unauthorized commands by bypassing allowlist restrictions through wrapper binaries such as env or shell-dispatc...
GHSA-GW85-XP4Q-5GP9 OpenClaw's Synology Chat dmPolicy=allowlist failed open on empty allowedUserIds, allowing unauthorized agent dispatch
Summary In openclaw versions 2026.2.22 and 2026.2.23, the optional synology-chat channel plugin had an authorization fail-open condition: when dmPolicy was allowlist and allowedUserIds was empty/unset, unauthorized senders were still allowed through to agent dispatch. This is assessed as medium...
OpenClaw's Synology Chat dmPolicy=allowlist failed open on empty allowedUserIds, allowing unauthorized agent dispatch
Summary In openclaw versions 2026.2.22 and 2026.2.23, the optional synology-chat channel plugin had an authorization fail-open condition: when dmPolicy was allowlist and allowedUserIds was empty/unset, unauthorized senders were still allowed through to agent dispatch. This is assessed as medium...
GHSA-CCG8-46R6-9QGJ OpenClaw's dispatch-wrapper depth-cap mismatch can bypass shell-wrapper approval gating in system.run allowlist mode
Summary A wrapper-depth parsing mismatch in system.run allowed nested transparent dispatch wrappers for example repeated /usr/bin/env to suppress shell-wrapper detection while still matching allowlist resolution. In security=allowlist + ask=on-miss, this could bypass the expected approval prompt...
OpenClaw's dispatch-wrapper depth-cap mismatch can bypass shell-wrapper approval gating in system.run allowlist mode
Summary A wrapper-depth parsing mismatch in system.run allowed nested transparent dispatch wrappers for example repeated /usr/bin/env to suppress shell-wrapper detection while still matching allowlist resolution. In security=allowlist + ask=on-miss, this could bypass the expected approval prompt...
PT-2026-26404
Summary A wrapper-depth parsing mismatch in system.run allowed nested transparent dispatch wrappers for example repeated /usr/bin/env to suppress shell-wrapper detection while still matching allowlist resolution. In security=allowlist + ask=on-miss, this could bypass the expected approval prompt...
CVE-2026-2668
A vulnerability was found in Rongzhitong Visual Integrated Command and Dispatch Platform up to 20260206. This affects an unknown function of the file /dm/dispatch/user/add of the component User Handler. The manipulation results in improper access controls. The attack may be launched remotely. The...
CVE-2026-2668
A vulnerability was found in Rongzhitong Visual Integrated Command and Dispatch Platform up to 20260206. This affects an unknown function of the file /dm/dispatch/user/add of the component User Handler. The manipulation results in improper access controls. The attack may be launched remotely. The...
CVE-2026-2669
Rongzhitong Visual Integrated Command and Dispatch Platform is identified as vulnerable in CVE-2026-2669. The affected component is the User Handler, specifically the file path /dm/dispatch/user/delete. The root cause is improper access controls caused by manipulating the argument ID, enabling re...
CVE-2026-2668
Affected product/component: Rongzhitong Visual Integrated Command and Dispatch Platform, specifically the User Handler component (file: /dm/dispatch/user/add). Root cause (as described): Improper access controls due to manipulation. Impact: Remote attacker could exploit this via a network attack ...
CVE-2026-2667
Rongzhitong Visual Integrated Command and Dispatch Platform is affected. The vulnerability targets an unknown function in the file /dispatch/api?cmd=userinfo, leading to improper access controls. The issue is exploitable remotely and an exploit has been disclosed publicly. The vendor was contacte...
Rongzhitong Visual Integrated Command and Dispatch Platform 访问控制错误漏洞
Rongzhitong Visual Integrated Command and Dispatch Platform is an integrated command system for emergency management and public safety developed by Rongzhitong Corporation. The Rongzhitong Visual Integrated Command and Dispatch Platform versions 20260206 and earlier contained a access control...
Rongzhitong Visual Integrated Command and Dispatch Platform 访问控制错误漏洞
Rongzhitong Visual Integrated Command and Dispatch Platform is an integrated command system for emergency management and public safety developed by Rongzhitong Corporation. The Rongzhitong Visual Integrated Command and Dispatch Platform versions 20260206 and earlier contained a access control...