CVE-2026-33580

OpenClaw prior to 2026.3.28 has a missing rate limiting vulnerability in Nextcloud Talk webhook authentication, allowing attackers who can reach the webhook endpoint to brute-force a weak shared secret and forge inbound webhook events. Affected component referenced in advisories is extensions/nex...

PT-2026-29260

OpenClaw before 2026.3.28 contains a missing rate limiting vulnerability in the Nextcloud Talk webhook authentication that allows attackers to brute-force weak shared secrets. Attackers who can reach the webhook endpoint can exploit this to forge inbound webhook events by repeatedly attempting...

OpenClaw's Signal reaction-only status events could, in limited cases, be enqueued before access checks

Summary In a narrow Signal reaction-notification path, reaction-only inbound events could enqueue a status event before sender access checks were applied. Affected Packages / Versions - Package: openclaw npm - Affected: = 2026.2.24 latest published at patch time - Fixed: 2026.2.25 Details In the...

GHSA-792Q-QW95-F446 OpenClaw's Signal reaction-only status events could, in limited cases, be enqueued before access checks

Summary In a narrow Signal reaction-notification path, reaction-only inbound events could enqueue a status event before sender access checks were applied. Affected Packages / Versions - Package: openclaw npm - Affected: = 2026.2.24 latest published at patch time - Fixed: 2026.2.25 Details In the...

django-anymail Includes Sensitive Information in Log Files

Anymail django-anymail version version 0.2 through 1.3 contains a CWE-532, CWE-209 vulnerability in WEBHOOKAUTHORIZATION setting value that can result in An attacker with access to error logs could fabricate email tracking events. This attack appear to be exploitable via If you have exposed your...