CVE-2026-28480 OpenClaw < 2026.2.14 - Identity Spoofing via Mutable Username in Telegram Allowlist Authorization

OpenClaw versions prior to 2026.2.14 contain an authorization bypass vulnerability where Telegram allowlist matching accepts mutable usernames instead of immutable numeric sender IDs. Attackers can spoof identity by obtaining recycled usernames to bypass allowlist restrictions and interact with...

CVE-2026-28480 OpenClaw < 2026.2.14 - Identity Spoofing via Mutable Username in Telegram Allowlist Authorization

OpenClaw versions prior to 2026.2.14 contain an authorization bypass vulnerability where Telegram allowlist matching accepts mutable usernames instead of immutable numeric sender IDs. Attackers can spoof identity by obtaining recycled usernames to bypass allowlist restrictions and interact with...

PT-2026-23555

OpenClaw versions prior to 2026.2.14 contain an authorization bypass vulnerability where Telegram allowlist matching accepts mutable usernames instead of immutable numeric sender IDs. Attackers can spoof identity by obtaining recycled usernames to bypass allowlist restrictions and interact with...

GHSA-F6H3-846H-2R8W OpenClaw's elevated allowFrom accepted broader identity signals than specified within sender-scoped authorization

Summary In certain elevated-mode configurations, tools.elevated.allowFrom accepted broader identity signals than intended. The fix tightens matching to sender-scoped identity by default and makes mutable metadata matching explicit. Context OpenClaw is commonly used in 1:1 chats or trusted group...

OpenClaw's elevated allowFrom accepted broader identity signals than specified within sender-scoped authorization

Summary In certain elevated-mode configurations, tools.elevated.allowFrom accepted broader identity signals than intended. The fix tightens matching to sender-scoped identity by default and makes mutable metadata matching explicit. Context OpenClaw is commonly used in 1:1 chats or trusted group...

Time-of-check Time-of-use (TOCTOU) Race Condition

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Time-of-check Time-of-use TOCTOU Race Condition via system.run when a mutable symlink is used as the cwd target between approval and execution. An attacker can execute commands in an...

OpenClaw's system.run approval TOCTOU via mutable symlink cwd target on node host

Summary In [email protected], approval-bound system.run on node hosts could be influenced by mutable symlink cwd targets between approval and execution. Details Approval matching on the gateway validated command/argv and binding fields, including cwd, as provided text. Node execution later used...

User Impersonation

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to User Impersonation in the Telegram allowlist authorization. An attacker can gain unauthorized access by registering or taking over a previously authorized @username and interacting with t...

OpenClaw Google Chat spoofing access with allowlist authorized mutable email principal despite sender-ID mismatch

Summary Google Chat allowlisting supports matching by sender email in addition to immutable sender resource name users/. This weakens identity binding if a deployment assumes allowlists are strictly keyed by immutable principals. Affected Packages / Versions As of 2026-02-14; based on latest...

Incorrect Authorization

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Incorrect Authorization via the allowFrom. An attacker can gain unauthorized access by exploiting the acceptance of mutable email principals in authorization checks. Note: This is only...

Cryptographic Choreographies

We present CryptoChoreo, a choreography language for the specification of cryptographic protocols. Choreographies can be regarded as an extension of Alice-and-Bob notation, providing an intuitive high-level view of the protocol as a whole rather than specifying each protocol role in isolation. Th...

EUVD-2023-48031

EVE: SSH as Root Unlockable Without Triggering Measured Boot...

CVE-2021-0336

In onReceive of BluetoothPermissionRequest.java, there is a possible permissions bypass due to a mutable PendingIntent. This could lead to local escalation of privilege that bypasses a permission check, with User execution privileges needed. User interaction is not needed for exploitation.Product...

`IterMut` violates Stacked Borrows by invalidating internal pointer

Affected versions of this crate contain a soundness issue in the IterMut iterator implementation. The IterMut::next and IterMut::nextback methods temporarily create an exclusive reference to the key when dereferencing the internal node pointer. This invalidates the shared pointer held by the...

SUSE CVE-2025-65431

An issue was discovered in allauth-django before 65.13.0. Both Okta and NetIQ were using preferredusername as the identifier for third-party provider accounts. That value may be mutable and should therefore be avoided for authorization decisions. The providers are now using sub instead...

GHSA-8M3C-C723-H4P4 django-allauth's Okta and NetIQ implementations used a mutable identifier for authorization decisions

An issue was discovered in allauth-django before 65.13.0. Both Okta and NetIQ were using preferredusername as the identifier for third-party provider accounts. That value may be mutable and should therefore be avoided for authorization decisions. The providers are now using sub instead...

django-allauth's Okta and NetIQ implementations used a mutable identifier for authorization decisions

An issue was discovered in allauth-django before 65.13.0. Both Okta and NetIQ were using preferredusername as the identifier for third-party provider accounts. That value may be mutable and should therefore be avoided for authorization decisions. The providers are now using sub instead...

Linux Distros Unpatched Vulnerability : CVE-2025-65431

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - An issue was discovered in allauth-django before 65.13.0. Both Okta and NetIQ were using preferredusername as the identifier for third-party provider accounts...

Improper Restriction of Communication Channel to Intended Endpoints

Overview fastcrud is a FastCRUD is a Python package for FastAPI, offering robust async CRUD operations and flexible endpoint creation utilities. Affected versions of this package are vulnerable to Improper Restriction of Communication Channel to Intended Endpoints due to improper handling of the...

EUVD-2021-1747

Malware in sbrugna...