OpenClaw 安全漏洞

OpenClaw is an open-source intelligent artificial assistant. Versions of OpenClaw prior to 2026.2.14 had security vulnerabilities. These vulnerabilities stemmed from the gateway not clearing the internal approval fields in the node.invoke parameters. This could allow attackers with valid gateway...

Missing Authorization

Overview @openclaw/msteams is an OpenClaw Microsoft Teams channel plugin Affected versions of this package are vulnerable to Missing Authorization via fileConsent/invoke. An attacker can access or manipulate pending file uploads belonging to other conversations by providing a valid uploadId withi...

OpenClaw: MS Teams fileConsent/invoke missing conversation binding allowed cross-conversation pending-upload consumption

Summary In openclaw MS Teams file-consent flow, pending uploads were authorized by uploadId alone. fileConsent/invoke did not verify the invoke conversation against the conversation that created the pending upload. Impact An attacker who obtained a valid uploadId within TTL could trigger...

GHSA-943Q-MWMV-HHVH OpenClaw: Gateway /tools/invoke tool escalation + ACP permission auto-approval

Summary OpenClaw Gateway exposes an authenticated HTTP endpoint POST /tools/invoke intended for invoking a constrained set of tools. Two issues could combine to significantly increase blast radius in misconfigured or exposed deployments: - The HTTP gateway layer did not deny high-risk session...

GHSA-GV46-4XFQ-JV58 OpenClaw Vulnerable to Remote Code Execution via Node Invoke Approval Bypass in Gateway

Summary A remote code execution RCE vulnerability in the gateway-to-node invocation path allowed an authenticated gateway client to bypass node-host exec approvals by injecting internal control fields into node.invoke parameters. Affected Component - Gateway method: node.invoke for node command...

PT-2026-23541

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.2.14 Description The gateway component fails to sanitize internal approval fields in node.invoke parameters, allowing authenticated clients to bypass exec approval gating for system.run commands. Attackers with...

OSV-2026-304 Heap-use-after-free in tf::Executor::_invoke

OSS-Fuzz report: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=486618382 Crash type: Heap-use-after-free READ 4 Crash state: tf::Executor::invoke tf::Executor::spawn void std::1::threadproxy...

EUVD-2025-206480

SolarWinds Web Help Desk was found to be susceptible to an authentication bypass vulnerability that, if exploited, could allow an attacker to invoke specific actions within Web Help Desk...

CVE-2025-40554

SolarWinds Web Help Desk was found to be susceptible to an authentication bypass vulnerability that, if exploited, could allow an attacker to invoke specific actions within Web Help Desk...

OSV-2026-150 Null-dereference READ in wasm_runtime_invoke_native

OSS-Fuzz report: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=478557340 Crash type: Null-dereference READ Crash state: wasmruntimeinvokenative wasminterpcallwasm wasmcallfunction...

CVE-2023-43538

Memory corruption in TZ Secure OS while Tunnel Invoke Manager initialization...

CVE-2022-50871

The CVE-2022-50871 entry concerns the Linux kernel component wifi: ath11k, specifically the qmi_msg_handler data structure initialization. The issue could allow an infinite loop while searching for a handler when a msg-id handler is missing from the handlers array, leading to out-of-bounds access...

Exploit for Command Injection in Microsoft

CVE-2025-54100 – PowerShell Response Parsing PoC Demonstrates...

Exploit for Command Injection in Microsoft

CVE-2025-54100 - PowerShell Response Parsing PoC This reposit...

Exploit for CVE-2025-54100

CVE-2026-0386 Powershell's curl uses Invoke-WebRequest u...

KB5074353: Security Update for Windows PowerShell (OS Build 20348.4467)

KB5074353: Security Update for Windows PowerShell OS Build 20348.4467 For information about Windows update terminology, see types of Windows updates and the monthly quality update types. To find an overview of Windows Server 2022, see the update history page for Windows Server 2022.Be sure to...

December 9, 2025—KB5071547 (OS Build 20348.4529)

December 9, 2025—KB5071547 OS Build 20348.4529 This cumulative update for Windows Server 2022 KB5071547, includes the latest security fixes and improvements, along with non-security updates from last month’s optional preview release. To learn more about differences between security updates,...

Unity Linux 20.1070e Security Update: kernel (UTSA-2025-414637)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2025-414637 advisory. An issue was discovered in the Linux kernel through 5.11.6. fastrpcinternalinvoke in drivers/misc/fastrpc.c does not prevent user applications from sending kernel RP...

EUVD-2023-47944

Malicious code in bioql PyPI...

EUVD-2024-19178

Malicious code in bioql PyPI...