AgenticMail API/storage and outbound relay hardening fixes

The current upstream main branch at commit 7e0206d was reviewed, and the fix-first patch set was rebased on 2026-05-18. The patches cover: validated and bound inactive-agent hour filtering; storage SQL identifier validation; metadata-backed ownership checks for raw storage SQL; blocking direct...

OpenClaw's gateway config mutation guard allowed unsafe model-driven config writes

Summary The agent-facing gateway tool protects config.apply and config.patch with a model-to-operator trust boundary. That guard used a hand-maintained denylist of protected config paths. The config schema outgrew that denylist, leaving sensitive subtrees writable through model-driven gateway...

EUVD-2026-25848

Improper Handling of TLS Client Authentication Failure Leading to Anonymous Principal Assignment in Apache Storm Versions Affected: up to 2.8.7 Description: When TLS transport is enabled in Apache Storm without requiring client certificate authentication the default configuration, the...

CVE-2026-41081 Apache Storm Client: Anonymous principal assigned on TLS client certificate verification failure

Improper Handling of TLS Client Authentication Failure Leading to Anonymous Principal Assignment in Apache Storm Versions Affected: up to 2.8.7 Description: When TLS transport is enabled in Apache Storm without requiring client certificate authentication the default configuration, the...

PT-2026-35414

Improper Handling of TLS Client Authentication Failure Leading to Anonymous Principal Assignment in Apache Storm Versions Affected: up to 2.8.7 Description: When TLS transport is enabled in Apache Storm without requiring client certificate authentication the default configuration, the...

GHSA-XH72-V6V9-MWHC OpenClaw: Feishu webhook and card-action validation now fail closed

Summary Feishu webhook mode accepted missing encryptKey configuration as valid and blank card-action callback tokens as usable lifecycle tokens. Together, those fail-open paths could allow unauthenticated webhook or card-action traffic to reach command dispatch in affected deployments. Impact A...

OpenClaw: Feishu webhook and card-action validation now fail closed

Summary Feishu webhook mode accepted missing encryptKey configuration as valid and blank card-action callback tokens as usable lifecycle tokens. Together, those fail-open paths could allow unauthenticated webhook or card-action traffic to reach command dispatch in affected deployments. Impact A...

GHSA-39PP-XP36-Q6MG OpenClaw has Inconsistent Host Exec Environment Override Sanitization

Summary Gateway host exec env override handling did not consistently apply the shared host environment policy, so blocked or malformed override keys could slip through inconsistent sanitization paths. Affected Packages / Versions - Package: openclaw npm - Affected: = 2026.3.22 - Latest released t...

OpenClaw has Inconsistent Host Exec Environment Override Sanitization

Summary Gateway host exec env override handling did not consistently apply the shared host environment policy, so blocked or malformed override keys could slip through inconsistent sanitization paths. Affected Packages / Versions - Package: openclaw npm - Affected: = 2026.3.22 - Latest released t...

GHSA-534W-2VM4-89XR OpenClaw's Zalo group sender allowlist bypass permits unauthorized GROUP dispatch

A missing group-sender authorization check in the Zalo plugin allowed unauthorized GROUP messages to enter agent dispatch paths in configurations intended to restrict group traffic. Impact When Zalo group handling was configured with allowlist-style controls, a sender not present in the intended...

OpenClaw has Canvas route hardening for mixed-trust deployments

Summary This advisory tracks a defense-in-depth hardening for canvas routes. In mixed-trust or network-visible deployments, prior canvas auth/fallback behavior could broaden access beyond intended boundaries. Deployment Context OpenClaw’s default model is trusted host + loopback-first access. Som...

CpenClaw's ACPX Windows wrapper shell fallback allowed cwd injection in specific paths

Summary On Windows ACPX paths, wrapper resolution for .cmd/.bat could fall back to shell execution in ways that allowed cwd influence to alter execution behavior. Impact In affected Windows ACPX configurations, this could enable command execution integrity loss through cwd-influenced wrapper...

ethtool: fail closed if we can't get max channel used in indirection tables

...

CVE-2024-46834 ethtool: fail closed if we can't get max channel used in indirection tables

In the Linux kernel, the following vulnerability has been resolved: ethtool: fail closed if we can't get max channel used in indirection tables Commit 0d1b7d6c9274 "bnxt: fix crashes when reducing ring count with active RSS contexts" proves that allowing indirection table to contain channels with...

PT-2023-9658 · Cisco · Cisco Ios Xe +1

Name of the Vulnerable Software and Affected Versions: Cisco Unified Threat Defense UTD Snort Intrusion Prevention System IPS Engine for Cisco IOS XE Software affected versions not specified Description: A vulnerability in the Cisco UTD Snort IPS Engine could allow an unauthenticated, remote...

Sygate Personal Firewall Pro 5.5 - Local Fail-Close Bypass

source: https://www.securityfocus.com/bid/10540/info A vulnerability is reported to affect the Sygate Personal Firewall fail-closed functionality. It is reported that the kernel-space NDIS driver does not verify the origin of messages that are received through the associated device. As a result o...