Ech0 Comment Panel Endpoints Missing RequireScopes Middleware — Scoped Access Token Bypass

Summary All 9 comment panel admin endpoints /api/panel/comments/ are missing RequireScopes middleware, while every other admin endpoint in the application enforces scope-based authorization on access tokens. An admin-issued access token scoped to minimal permissions e.g., echo:read only can perfo...

CVE-2026-27484

OpenClaw is a personal AI assistant. In versions 2026.2.17 and below, the Discord moderation action handling timeout, kick, ban uses sender identity from request parameters in tool-driven flows, instead of trusted runtime sender context. In setups where Discord moderation actions are enabled and...

CVE-2026-27484

OpenClaw is a personal AI assistant. In versions 2026.2.17 and below, the Discord moderation action handling timeout, kick, ban uses sender identity from request parameters in tool-driven flows, instead of trusted runtime sender context. In setups where Discord moderation actions are enabled and...

User Impersonation

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to User Impersonation via the moderation action handling process. An attacker can perform unauthorized moderation actions by spoofing sender identity fields in tool-driven flows. Note: This ...

OpenClaw Discord moderation authorization used untrusted sender identity in tool-driven flows

Overview Discord moderation action handling timeout, kick, ban used sender identity from request parameters in tool-driven flows, instead of trusted runtime sender context. Impact In setups where Discord moderation actions are enabled and the bot has the necessary guild permissions, a non-admin...

EUVD-2008-7041

Malware in sbrugna...