Lucene search
K

35 matches found

EUVD
EUVD
added 2 days ago4 views

EUVD-2026-43536

OpenClaw versions 2026.3.22 before 2026.6.6 contain an authorization bypass vulnerability where WhatsApp group IDs can satisfy elevated sender allowlists. Attackers with lower-trust access can perform actions requiring stronger authorization by leveraging group ID validation in the affected featu...

8.7CVSS6.1AI score0.0023EPSS
Exploits0References3
CVE
CVE
added 3 days ago11 views

CVE-2026-62196

OpenClaw has an authorization bypass in versions before 2026.6.6 (2026.3.22 affected). The vulnerability allows WhatsApp group IDs to satisfy elevated sender allowlists, enabling attackers with lower-trust access to perform actions that require stronger authorization by abusing group ID validatio...

8.7CVSS6.1AI score0.0023EPSS
Exploits0References2Affected Software1
EUVD
EUVD
added 2026/07/02 7:43 p.m.9 views

EUVD-2026-41431

LobeChat through 2.2.9 contains a broken object level authorization vulnerability that allows authenticated attackers to access and modify other users' chat-group agent data by supplying arbitrary group identifiers. Attackers can invoke the getGroupAgents, updateAgentInGroup, and...

5CVSS5.9AI score0.0018EPSS
Exploits0References4
OSV
OSV
added 2026/07/02 7:43 p.m.3 views

CVE-2026-59100 LobeChat 2.2.9 - Broken Object Level Authorization via Chat-Group Agent Operations

LobeChat through 2.2.9 contains a broken object level authorization vulnerability that allows authenticated attackers to access and modify other users' chat-group agent data by supplying arbitrary group identifiers. Attackers can invoke the getGroupAgents, updateAgentInGroup, and...

2.3CVSS6.1AI score0.0018EPSS
Exploits0References7
ATTACKERKB
ATTACKERKB
added 2026/07/02 7:43 p.m.7 views

CVE-2026-59100

LobeChat through 2.2.9 contains a broken object level authorization vulnerability that allows authenticated attackers to access and modify other users' chat-group agent data by supplying arbitrary group identifiers. Attackers can invoke the getGroupAgents, updateAgentInGroup, and...

5CVSS5.9AI score0.0018EPSS
Exploits0References5
Vulnrichment
Vulnrichment
added 2026/07/02 7:43 p.m.7 views

CVE-2026-59100 LobeChat 2.2.9 - Broken Object Level Authorization via Chat-Group Agent Operations

LobeChat through 2.2.9 contains a broken object level authorization vulnerability that allows authenticated attackers to access and modify other users' chat-group agent data by supplying arbitrary group identifiers. Attackers can invoke the getGroupAgents, updateAgentInGroup, and...

5CVSS6.1AI score0.0018EPSS
Exploits0References4
OSV
OSV
added 2026/06/18 1:4 p.m.14 views

GHSA-985F-72MJ-8GF7 OpenClaw: Tool group policy callers could accept unvalidated group IDs

Summary Tool group policy callers could accept unvalidated group IDs. In affected versions, a caller that can supply a group id to the affected policy resolver could resolve policy for an unvalidated group id. This advisory is scoped to the named feature and configuration. It does not change...

6CVSS5.6AI score0.00169EPSS
Exploits0References4
NVD
NVD
added 2026/06/16 7:17 p.m.12 views

CVE-2026-53863

OpenClaw before 2026.4.25 contains an input validation vulnerability in tool group policy callers that accept unvalidated group IDs. Attackers who can supply a group ID to the policy resolver could trigger incorrect group-policy decisions for tool invocations, potentially bypassing intended acces...

7.1CVSS0.00169EPSS
Exploits0References2
CVE
CVE
added 2026/06/16 6:5 p.m.24 views

CVE-2026-53863

OpenClaw before 2026.4.25 exposes an input validation vulnerability in tool group policy callers that accept unvalidated group IDs. When a group ID is supplied to the policy resolver, it can lead to incorrect group-policy decisions for tool invocations, potentially bypassing intended access contr...

7.1CVSS5.3AI score0.00169EPSS
Exploits0References2Affected Software1
OSV
OSV
added 2026/06/16 12:37 p.m.5 views

BIT-DISCOURSE-2026-47263 Discourse: Prevent webhook payload disclosure on event redelivery

Discourse is an open-source discussion platform. From versions 2026.1.0 to before 2026.1.4, 2026.3.0 to before 2026.3.1, and 2026.4.0 to before 2026.4.1, the MessageBus.publish call for /webhookevents/ in Jobs::RedeliverWebHookEvents did not pass groupids, leaving the channel readable by any...

4.3CVSS5.3AI score0.00211EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/06/16 12:0 a.m.20 views

PT-2026-49780

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.4.25 Description An input validation issue exists in tool group policy callers that accept unvalidated group IDs. An attacker capable of supplying a group ID to the policy resolver could trigger incorrect...

7.1CVSS5.3AI score0.00169EPSS
Exploits0References5
Positive Technologies
Positive Technologies
added 2026/06/12 12:0 a.m.18 views

PT-2026-48987

Name of the Vulnerable Software and Affected Versions Discourse versions 2026.1.0 through 2026.1.3 Discourse versions 2026.3.0 through 2026.3.0 Discourse versions 2026.4.0 through 2026.4.0 Description An issue exists in the Jobs::RedeliverWebHookEvents function where the MessageBus.publish call f...

4.3CVSS5.2AI score0.00211EPSS
Exploits0References6
Github Security Blog
Github Security Blog
added 2026/06/03 9:30 p.m.12 views

Jupyter Enterprise Gateway: ContainerProcessProxy._enforce_prohibited_ids Bypass

Summary Jupyter Enterprise Gateway has a prohibited UID and GID feature that by default prevents launching kernels with UID or GID 0 root. This can be bypassed. It is possible to launch kernels with a prohibited UID and/or GID by using a specially crafted KERNELUID or KERNELGID value. The feature...

6.1AI score0.00106EPSS
Exploits0References3Affected Software1
Positive Technologies
Positive Technologies
added 2026/05/11 12:0 a.m.17 views

PT-2026-39862

Name of the Vulnerable Software and Affected Versions Vaultwarden versions prior to 1.35.5 Description Vaultwarden fails to verify that organization UUID entries in group and collection management are consistent. Specifically, the server does not enforce that a groups users.users organizations uu...

8.7CVSS5.8AI score0.00289EPSS
Exploits1References5
Snyk
Snyk
added 2026/04/27 5:22 p.m.7 views

Placement of User into Incorrect Group

Overview github.com/canonical/authd/internal/users is an authentication daemon for external Broker Affected versions of this package are vulnerable to Placement of User into Incorrect Group in the process responsible for assigning primary group IDs when a user's primary group ID differs from thei...

7.3CVSS5.8AI score0.0011EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2026/04/21 12:0 a.m.4 views

CVE-2026-40706

In NTFS-3G 2022.10.3 before 2026.2.25, a heap buffer overflow exists in ntfsbuildpermissionsposix in acls.c that allows an attacker to corrupt heap memory in the SUID-root ntfs-3g binary by crafting a malicious NTFS image. The overflow is triggered on the READ path stat, readdir, open when...

8.4CVSS6AI score0.00165EPSS
Exploits0References5Affected Software1
Cvelist
Cvelist
added 2026/04/21 12:0 a.m.38 views

CVE-2026-40706

In NTFS-3G 2022.10.3 before 2026.2.25, a heap buffer overflow exists in ntfsbuildpermissionsposix in acls.c that allows an attacker to corrupt heap memory in the SUID-root ntfs-3g binary by crafting a malicious NTFS image. The overflow is triggered on the READ path stat, readdir, open when...

8.4CVSS0.00165EPSS
Exploits0References4
OSV
OSV
added 2026/03/29 12:44 p.m.4 views

CVE-2026-32975 OpenClaw < 2026.3.12 - Weak Authorization via Mutable Group Names in Zalouser Allowlist

OpenClaw before 2026.3.12 contains a weak authorization vulnerability in Zalouser allowlist mode that matches mutable group display names instead of stable group identifiers. Attackers can create groups with identical names to allowlisted groups to bypass channel authorization and route messages...

6.9CVSS6AI score0.00335EPSS
Exploits0References4
OSV
OSV
added 2026/03/13 8:54 p.m.5 views

GHSA-F5MF-3R52-R83W OpenClaw's Zalouser allowlist authorization matched mutable group names by default

Summary OpenClaw's Zalouser allowlist mode accepted mutable group names and normalized slugs as authorization matches instead of requiring stable group IDs. In deployments that used name-based channels.zalouser.groups entries together with permissive sender allowlists, a different group could be...

9.8CVSS5.9AI score0.00335EPSS
Exploits0References3
CNNVD
CNNVD
added 2026/01/13 12:0 a.m.4 views

Linux kernel 安全漏洞

Linux kernel is the kernel used by Linux, the open source operating system of the Linux Foundation in the United States. A security vulnerability exists in the Linux kernel that stems from a failure to clean up multicast GID table references when destroying CM IDs, which could lead to reference...

5.5CVSS6AI score0.00114EPSS
Exploits0References5
Rows per page
Query Builder