GHSA-RCX4-77X4-HJX5 Duplicate Advisory: OpenClaw ACP client has permission auto-approval bypass via untrusted tool metadata

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-7jx5-9fjg-hp4m. This link is maintained to preserve external references. Original Description OpenClaw versions prior to 2026.2.23 contain an authorization bypass vulnerability in the ACP client that auto-approv...

PT-2026-26747

OpenClaw versions prior to 2026.2.23 contain an authorization bypass vulnerability in the ACP client that auto-approves tool calls based on untrusted toolCall.kind metadata and permissive name heuristics. Attackers can bypass interactive approval prompts for read-class operations by spoofing tool...

OSV-2026-311 UNKNOWN READ in strncasecmp

OSS-Fuzz report: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=487216732 Crash type: UNKNOWN READ Crash state: strncasecmp vcardcomponentstringtokind parsevcard...

CVE-2025-14522

A vulnerability was detected in baowzh hfly up to 638ff9abe9078bc977c132b37acbe1900b63491c. The impacted element is an unknown function of the file /Public/Kindeditor/php/uploadjson.php. Performing manipulation of the argument imgFile results in unrestricted upload. It is possible to initiate the...

EUVD-2025-97475

Malicious code in kindmeerkatz3n npm...

EUVD-2025-97476

Malicious code in kindcrayfishz3n npm...

EUVD-2025-90701

Malicious code in kindpelicanz3n npm...

EUVD-2025-76467

Malicious code in kindguineafowl-tool npm...

EUVD-2025-78935

Malicious code in kindrodentz3n npm...

EUVD-2025-78936

Malicious code in kindkrillz3n npm...

EUVD-2025-81433

Malicious code in kindbugdumbs npm...

EUVD-2025-81430

Malicious code in kindwildfowldumbs npm...

EUVD-2025-81435

Malicious code in kindaardvark0xrequest npm...

EUVD-2025-72281

Malicious code in kindyellowsnipe-70-tisubasah npm...

EUVD-2025-63382

Malicious code in kindmammalz3n npm...

EUVD-2025-63383

Malicious code in kindbonoboz3n npm...

Malicious code in kind-violet-snake (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector d45a9299357bf0f1a96592a661285dbdba348517df5d9dee4e723a316ca17a4b This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

EUVD-2025-53601

Malicious code in kind-beige-chimpanzee npm...

EUVD-2025-53600

Malicious code in kind-ivory-raven npm...

EUVD-2025-53599

Malicious code in kind-orange-cattle npm...