Lucene search
K

150 matches found

OSV
OSV
added 2026/07/02 5:13 p.m.5 views

GHSA-7HXM-F538-3XP6 OpenClaw: Matrix allowFrom could bind to mutable display names

Summary Matrix allowFrom could bind to mutable display names. In affected versions, a Matrix account able to change display name metadata could match a policy entry through mutable display metadata. This advisory is scoped to the named feature and configuration. It does not change OpenClaw's...

8.8CVSS5.9AI score0.00309EPSS
Exploits0References4
EUVD
EUVD
added 2026/07/02 5:13 p.m.11 views

EUVD-2026-36317

OpenClaw: Matrix allowFrom could bind to mutable display names...

8.8CVSS5.8AI score0.00309EPSS
Exploits0References3
OSV
OSV
added 2026/07/02 4:43 p.m.6 views

GHSA-C29C-2Q9C-PC86 OpenClaw: Slack allowFrom could bind to mutable display names

Summary Slack allowFrom could bind to mutable display names. In affected versions, a Slack account able to change display name metadata could match a policy entry through mutable display metadata. This advisory is scoped to the named feature and configuration. It does not change OpenClaw's...

8.6CVSS6AI score0.00209EPSS
Exploits0References2
CVE
CVE
added 2026/06/25 7:9 p.m.16 views

CVE-2026-57522

CVE-2026-57522 affects Bitwarden Server prior to 2026.5.0. The vulnerability is a JSON injection in IntegrationTemplateProcessor.ReplaceTokens(), which inserts user-controlled values into event-integration templates without JSON encoding. If an organization uses an event integration whose templat...

5CVSS6AI score0.00262EPSS
Exploits1References5Affected Software1
ATTACKERKB
ATTACKERKB
added 2026/06/25 7:9 p.m.5 views

CVE-2026-57522

Bitwarden Server before 2026.5.0 contains a JSON injection vulnerability in IntegrationTemplateProcessor.ReplaceTokens, which substitutes user-controlled values into event-integration templates without JSON encoding. When an organization has configured an event integration whose template referenc...

3.5CVSS6AI score0.00262EPSS
Exploits1References6
EUVD
EUVD
added 2026/06/25 7:9 p.m.4 views

EUVD-2026-39543

Bitwarden Server before 2026.5.0 contains a JSON injection vulnerability in IntegrationTemplateProcessor.ReplaceTokens, which substitutes user-controlled values into event-integration templates without JSON encoding. When an organization has configured an event integration whose template referenc...

3.5CVSS6AI score0.00262EPSS
Exploits1References5
Github Security Blog
Github Security Blog
added 2026/06/23 10:11 p.m.8 views

Snipe-IT's selectlist visibility is too permissive

Impact The GET /api/v1/object/selectlist API endpoint is missing an authorization check. Any user who can log into Snipe-IT - regardless of permissions - can retrieve a paginated list of all user accounts using only their web session cookie. No API token or elevated permissions are required. This...

7.1CVSS5.9AI score0.00396EPSS
Exploits0References3Affected Software1
OSV
OSV
added 2026/06/18 8:36 p.m.4 views

GHSA-CW4Q-GQG5-G38H OpenClaw: Discord allowFrom could bind to mutable display names

Summary Discord allowFrom could bind to mutable display names. In affected versions, a Discord account able to change display or global name metadata could match a policy entry through mutable display metadata. This advisory is scoped to the named feature and configuration. It does not change...

8.6CVSS5.7AI score0.00267EPSS
Exploits0References4
Snyk
Snyk
added 2026/06/18 8:36 p.m.7 views

User Impersonation

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to User Impersonation via the allowFrom process. An attacker can gain unauthorized access to agent privileges intended for another Discord identity by exploiting mutable display name metadat...

8.6CVSS5.9AI score0.00267EPSS
Exploits0References2
OSV
OSV
added 2026/06/18 8:17 p.m.5 views

GHSA-8C59-HR4W-QG69 OpenClaw: Zalo allowFrom could bind to mutable display names

Summary Zalo allowFrom could bind to mutable display names. In affected versions, a Zalo friend or contact with mutable display metadata could match a policy entry through mutable display metadata. This advisory is scoped to the named feature and configuration. It does not change OpenClaw's...

8.6CVSS5.6AI score0.00225EPSS
Exploits0References4
NVD
NVD
added 2026/06/16 7:17 p.m.8 views

CVE-2026-53857

OpenClaw before 2026.5.3 contains a policy enforcement vulnerability where Zalo contacts with mutable display metadata could match allowFrom policy entries through display name changes. Attackers with mutable display names could receive agent responses intended for different Zalo identities when...

8.6CVSS0.00225EPSS
Exploits0References2
NVD
NVD
added 2026/06/16 7:17 p.m.11 views

CVE-2026-53849

OpenClaw before 2026.5.7 contains a privilege escalation vulnerability where the allowFrom feature improperly validates Discord account identity using mutable display names instead of immutable user IDs. Attackers with Discord accounts can change their display name to match a policy entry and gai...

8.6CVSS0.00267EPSS
Exploits0References2
CVE
CVE
added 2026/06/16 6:4 p.m.21 views

CVE-2026-53849

CVE-2026-53849 — OpenClaw prior to 2026.5.7 : A privilege-escalation in which the allowFrom feature validates Discord identity via mutable display names instead of immutable user IDs. An attacker with a Discord account can alter their display name to align with a policy entry and gain unauthorize...

8.6CVSS5.3AI score0.00267EPSS
Exploits0References2Affected Software1
Positive Technologies
Positive Technologies
added 2026/06/16 12:0 a.m.13 views

PT-2026-49774

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.5.3 Description A policy enforcement issue exists where Zalo contacts with mutable display metadata can match allowFrom policy entries by changing their display names. This allows attackers with mutable display...

8.6CVSS5.2AI score0.00225EPSS
Exploits0References5
EUVD
EUVD
added 2026/06/13 12:34 a.m.10 views

EUVD-2026-36611

OpenClaw before 2026.5.3 contains a privilege escalation vulnerability in the allowFrom feature that binds to mutable Slack display names. Attackers with Slack account access can change display name metadata to match policy entries, potentially gaining unauthorized agent access intended for other...

8.6CVSS5.2AI score0.00209EPSS
Exploits0References3
NVD
NVD
added 2026/06/12 10:16 p.m.13 views

CVE-2026-53823

OpenClaw before 2026.5.3 contains a privilege escalation vulnerability in the allowFrom feature that binds to mutable Slack display names. Attackers with Slack account access can change display name metadata to match policy entries, potentially gaining unauthorized agent access intended for other...

8.6CVSS0.00209EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/06/12 9:56 p.m.34 views

CVE-2026-53823 OpenClaw < 2026.5.3 - Privilege Escalation via Mutable Slack Display Names in allowFrom

OpenClaw before 2026.5.3 contains a privilege escalation vulnerability in the allowFrom feature that binds to mutable Slack display names. Attackers with Slack account access can change display name metadata to match policy entries, potentially gaining unauthorized agent access intended for other...

8.6CVSS0.00209EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2026/06/12 9:56 p.m.9 views

CVE-2026-53823 OpenClaw < 2026.5.3 - Privilege Escalation via Mutable Slack Display Names in allowFrom

OpenClaw before 2026.5.3 contains a privilege escalation vulnerability in the allowFrom feature that binds to mutable Slack display names. Attackers with Slack account access can change display name metadata to match policy entries, potentially gaining unauthorized agent access intended for other...

8.6CVSS5.3AI score0.00209EPSS
Exploits0References2
CVE
CVE
added 2026/06/12 9:56 p.m.27 views

CVE-2026-53823

OpenClaw is affected by a privilege-escalation vulnerability in the allowFrom feature, where binding to mutable Slack display names enables an attacker with Slack account access to alter display name metadata to match policy entries and gain unauthorized agent access intended for other identities...

8.6CVSS5.3AI score0.00209EPSS
Exploits0References2Affected Software1
Positive Technologies
Positive Technologies
added 2026/06/12 12:0 a.m.16 views

PT-2026-49027

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.5.3 Description A privilege escalation issue exists in the allowFrom feature, which binds to mutable Slack display names. Attackers with access to a Slack account can modify display name metadata to match policy...

8.6CVSS5.2AI score0.00209EPSS
Exploits0References6
Rows per page
Query Builder