12 matches found
CVE-2026-22181 OpenClaw < 2026.3.2 - DNS Pinning Bypass via Environment Proxy Configuration in web_fetch
OpenClaw versions prior to 2026.3.2 contain a DNS pinning bypass vulnerability in strict URL fetch paths that allows attackers to circumvent SSRF guards when environment proxy variables are configured. When HTTPPROXY, HTTPSPROXY, or ALLPROXY environment variables are present, attacker-influenced...
OpenClaw's web tools strict URL guard could lose DNS pinning when env proxy is configured
Summary openclaw web tools strict URL fetch paths could lose DNS pinning when environment proxy variables are configured HTTPPROXY/HTTPSPROXY/ALLPROXY, including lowercase variants. In affected builds, strict URL checks for example webfetch and citation redirect resolution validated one destinati...
GHSA-8MVX-P2R9-R375 OpenClaw's web tools strict URL guard could lose DNS pinning when env proxy is configured
Summary openclaw web tools strict URL fetch paths could lose DNS pinning when environment proxy variables are configured HTTPPROXY/HTTPSPROXY/ALLPROXY, including lowercase variants. In affected builds, strict URL checks for example webfetch and citation redirect resolution validated one destinati...
PT-2026-26012
Summary openclaw web tools strict URL fetch paths could lose DNS pinning when environment proxy variables are configured HTTP PROXY/HTTPS PROXY/ALL PROXY, including lowercase variants. In affected builds, strict URL checks for example web fetch and citation redirect resolution validated one...
Missing Authentication for Critical Function
Overview Affected versions of this package are vulnerable to Missing Authentication for Critical Function in the environment proxy middleware. An attacker can gain unauthorized access to and manipulate remote environment resources by sending unauthenticated requests that are proxied to remote...
Missing Authentication for Critical Function
Overview Affected versions of this package are vulnerable to Missing Authentication for Critical Function in the environment proxy middleware. An attacker can gain unauthorized access to and manipulate remote environment resources by sending unauthenticated requests that are proxied to remote...
CVE-2026-23944 Arcane allows unauthenticated proxy access to remote environments
Arcane is an interface for managing Docker containers, images, networks, and volumes. Prior to version 1.13.2, unauthenticated requests could be proxied to remote environment agents, allowing access to remote environment resources without authentication. The environment proxy middleware handled...
CVE-2026-23944 Arcane allows unauthenticated proxy access to remote environments
Arcane is an interface for managing Docker containers, images, networks, and volumes. Prior to version 1.13.2, unauthenticated requests could be proxied to remote environment agents, allowing access to remote environment resources without authentication. The environment proxy middleware handled...
CVE-2026-23944
Arcane is an interface for managing Docker containers, images, networks, and volumes. Prior to version 1.13.2, unauthenticated requests could be proxied to remote environment agents, allowing access to remote environment resources without authentication. The environment proxy middleware handled...
CVE-2026-23944
CVE-2026-23944 affects Arcane prior to v1.13.2. The vulnerability exists in the environment proxy middleware which handles /api/environments/{id}/… requests for remote environments before authentication is enforced. If the environment ID is not local, the middleware proxies the request and attach...
CVE-2026-23944 Arcane allows unauthenticated proxy access to remote environments
Arcane is an interface for managing Docker containers, images, networks, and volumes. Prior to version 1.13.2, unauthenticated requests could be proxied to remote environment agents, allowing access to remote environment resources without authentication. The environment proxy middleware handled...
EUVD-2026-3280
Arcane is an interface for managing Docker containers, images, networks, and volumes. Prior to version 1.13.2, unauthenticated requests could be proxied to remote environment agents, allowing access to remote environment resources without authentication. The environment proxy middleware handled...