Lucene search
K

11 matches found

Patchstack
Patchstack
added 2026/04/25 11:45 p.m.9 views

NPM: OpenClaw: Assistant media route missed scope enforcement for trusted-proxy authorization

NPM: OpenClaw: Assistant media route missed scope enforcement for trusted-proxy authorization vulnerability discovered by ? in WordPress Npm openclaw versions 2026.4.20...

6.5CVSS5.8AI score0.00222EPSS
Exploits0References5Affected Software1
OSV
OSV
added 2026/04/25 11:45 p.m.5 views

GHSA-V8QF-FR4G-28P2 OpenClaw: Assistant media route missed scope enforcement for trusted-proxy authorization

Affected Packages / Versions - Package: openclaw npm - Affected versions: 2026.4.20 - Patched version: 2026.4.20 Impact The Control UI assistant-media route authenticated trusted-proxy callers but did not enforce the declared operator scopes for identity-bearing HTTP auth paths. A trusted-proxy...

4.3CVSS5.8AI score0.00222EPSS
Exploits0References5
Github Security Blog
Github Security Blog
added 2026/04/25 11:45 p.m.12 views

OpenClaw: Assistant media route missed scope enforcement for trusted-proxy authorization

Affected Packages / Versions - Package: openclaw npm - Affected versions: 2026.4.20 - Patched version: 2026.4.20 Impact The Control UI assistant-media route authenticated trusted-proxy callers but did not enforce the declared operator scopes for identity-bearing HTTP auth paths. A trusted-proxy...

6.5CVSS5.3AI score0.00222EPSS
Exploits0References5Affected Software1
Snyk
Snyk
added 2026/04/24 2:29 a.m.5 views

Incorrect Authorization

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Incorrect Authorization via the assistant-media route. An attacker can access protected media files and metadata by bypassing HTTP authentication path scope validation. Remediation Upgrad...

6.5CVSS5.5AI score0.00222EPSS
Exploits0References2
OSV
OSV
added 2026/04/23 6:33 p.m.4 views

GHSA-QGX9-6PX9-7P75 Duplicate Advisory: OpenClaw: Assistant media route missed scope enforcement for trusted-proxy authorization

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-v8qf-fr4g-28p2. This link is maintained to preserve external references. Original Description OpenClaw before 2026.4.20 contains a scope enforcement bypass vulnerability in the assistant-media route that allows...

4.3CVSS5.7AI score0.00222EPSS
Exploits0References4
Cvelist
Cvelist
added 2026/04/23 5:52 p.m.33 views

CVE-2026-41908 OpenClaw < 2026.4.20 - Scope Enforcement Bypass in Assistant-Media Route

OpenClaw before 2026.4.20 contains a scope enforcement bypass vulnerability in the assistant-media route that allows trusted-proxy callers without operator.read scope to access protected assistant-media files and metadata. Attackers can bypass identity-bearing HTTP auth path scope validation to...

4.3CVSS0.00222EPSS
Exploits0References3
CVE
CVE
added 2026/04/23 5:52 p.m.12 views

CVE-2026-41908

CVE-2026-41908: OpenClaw prior to 2026.4.20 contains a scope enforcement bypass in the assistant-media route. Trusted-proxy callers lacking operator.read can bypass identity-bearing HTTP auth scope validation to access protected assistant-media files and metadata within allowed media roots. Affec...

6.5CVSS5.8AI score0.00222EPSS
Exploits0References3Affected Software1
Vulnrichment
Vulnrichment
added 2026/04/23 5:52 p.m.2 views

CVE-2026-41908 OpenClaw < 2026.4.20 - Scope Enforcement Bypass in Assistant-Media Route

OpenClaw before 2026.4.20 contains a scope enforcement bypass vulnerability in the assistant-media route that allows trusted-proxy callers without operator.read scope to access protected assistant-media files and metadata. Attackers can bypass identity-bearing HTTP auth path scope validation to...

4.3CVSS5.8AI score0.00222EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/04/23 12:0 a.m.7 views

PT-2026-34709

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.4.20 Description A scope enforcement bypass exists in the 'assistant-media' route. This allows trusted-proxy callers who lack the operator.read scope to bypass identity-bearing HTTP auth path scope validation...

4.3CVSS5.1AI score0.00222EPSS
Exploits0References6
ATTACKERKB
ATTACKERKB
added 2026/04/01 4:8 p.m.2 views

CVE-2026-34603

Tina is a headless content management system. Prior to version 2.2.2, @tinacms/cli recently added lexical path-traversal checks to the dev media routes, but the implementation still validates only the path string and does not resolve symlink or junction targets. If a link already exists under the...

7.1CVSS5.8AI score0.00408EPSS
Exploits0References3Affected Software1
Positive Technologies
Positive Technologies
added 2026/02/25 12:0 a.m.7 views

PT-2026-22087

Name of the Vulnerable Software and Affected Versions Drupal Islandora versions prior to 2.17.5 Description A flaw exists in Drupal Islandora that allows for Cross-Site Scripting XSS. The issue stems from insufficient sanitization of URI paths used in a custom route for attaching media to nodes...

5.4CVSS5.9AI score0.00176EPSS
Exploits0References5
Rows per page
Query Builder