58579 matches found
CVE-2026-32051 OpenClaw < 2026.3.1 - Authorization Bypass in Agent Runs via Owner-Only Tool Access
OpenClaw versions prior to 2026.3.1 contain an authorization mismatch vulnerability that allows authenticated callers with operator.write scope to invoke owner-only tool surfaces including gateway and cron through agent runs in scoped-token deployments. Attackers with write-scope access can perfo...
CVE-2026-32042
OpenClaw version set
CVE-2026-32042 OpenClaw < 2026.2.25 - Privilege Escalation via Unpaired Device Identity in Shared Gateway Authentication
OpenClaw versions 2026.2.22 prior to 2026.2.25 contain a privilege escalation vulnerability allowing unpaired device identities to bypass operator pairing requirements and self-assign elevated operator scopes including operator.admin. Attackers with valid shared gateway authentication can present...
CVE-2026-32042 OpenClaw < 2026.2.25 - Privilege Escalation via Unpaired Device Identity in Shared Gateway Authentication
OpenClaw versions 2026.2.22 prior to 2026.2.25 contain a privilege escalation vulnerability allowing unpaired device identities to bypass operator pairing requirements and self-assign elevated operator scopes including operator.admin. Attackers with valid shared gateway authentication can present...
CVE-2026-32042
OpenClaw versions 2026.2.22 prior to 2026.2.25 contain a privilege escalation vulnerability allowing unpaired device identities to bypass operator pairing requirements and self-assign elevated operator scopes including operator.admin. Attackers with valid shared gateway authentication can present...
PT-2026-26725
OpenClaw versions 2026.2.22 prior to 2026.2.25 contain a privilege escalation vulnerability allowing unpaired device identities to bypass operator pairing requirements and self-assign elevated operator scopes including operator.admin. Attackers with valid shared gateway authentication can present...
OpenClaw 安全漏洞
OpenClaw is an intelligent artificial assistant open-sourced by OpenClaw. OpenClaw suffers from a security vulnerability that can be exploited by an attacker to cause an authenticated caller with operator.write scope to invoke the owner-only tool interface...
MetaGPT 代码注入漏洞
MetaGPT is a multi-agent framework developed by MetaGPT Inc. Versions of MetaGPT 0.8.1 and earlier contained a code injection vulnerability. This vulnerability stemmed from a code injection flaw in the code generate function located in the file metagpt/ext/aflow/scripts/operator.py. It could...
GHSA-X49Q-FHHM-R9JF Duplicate Advisory: OpenClaw: WebSocket shared-auth connections could self-declare elevated scopes
Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-rqpp-rjj8-7wv8. This link is maintained to preserve external references. Original Description OpenClaw versions prior to 2026.3.12 contain an authorization bypass vulnerability in the WebSocket connect path that...
CVE-2026-22172
OpenClaw versions prior to 2026.3.12 contain an authorization bypass vulnerability in the WebSocket connect path that allows shared-token or password-authenticated connections to self-declare elevated scopes without server-side binding. Attackers can exploit this logic flaw to present unauthorize...
CVE-2026-22172
OpenClaw is affected: versions prior to 2026.3.12 contain an authorization bypass in the WebSocket connect path. The flaw lets shared-token or password-authenticated connections self-declare elevated scopes without server-side binding, enabling unauthorized scopes such as operator.admin and poten...
GHSA-Q382-VC8Q-7JHJ vulnerabilities
Vulnerabilities for packages: datadog-agent, ferretdb, flux-operator, osv-scanner, jaeger, glab, opencost...
GHSA-89XV-2J6F-QHC8 vulnerabilities
Vulnerabilities for packages: datadog-agent, ferretdb, flux-operator, osv-scanner, jaeger, glab, opencost...
CVE-2026-33252 vulnerabilities
Vulnerabilities for packages: datadog-agent, ferretdb, flux-operator, osv-scanner, jaeger, glab, opencost...
GHSA-Q382-VC8Q-7JHJ vulnerabilities
Vulnerabilities for packages: ferretdb, jaeger-fips, opencost-fips, datadog-agent, datadog-agent-fips, flux-operator-fips, gitlab-workhorse-ce, jaeger, livekit-cli, osv-scanner, opencost, flux-operator, gitlab-workhorse-ce-fips, glab...
GHSA-89XV-2J6F-QHC8 vulnerabilities
Vulnerabilities for packages: ferretdb, jaeger-fips, opencost-fips, datadog-agent, datadog-agent-fips, flux-operator-fips, gitlab-workhorse-ce, jaeger, livekit-cli, osv-scanner, opencost, flux-operator, gitlab-workhorse-ce-fips, glab...
CVE-2026-33252 vulnerabilities
Vulnerabilities for packages: ferretdb, jaeger-fips, opencost-fips, datadog-agent, datadog-agent-fips, flux-operator-fips, gitlab-workhorse-ce, jaeger, livekit-cli, osv-scanner, opencost, flux-operator, gitlab-workhorse-ce-fips, glab...
ai.ancf.lmos:arc-graphql-spring-boot-starter (>=0.114.0 <=0.120.0), ai.ancf.lmos:arc-runner (>=0.114.0 <=0.120.0) +1424 more potentially affected by CVE-2026-22737 via org.springframework:spring-webflux (>=6.2.0 <=6.2.16)
org.springframework:spring-webflux MAVEN version =6.2.0, =0.114.0, =0.114.0, =0.5.0, =0.8.0, =1.0.0, =1.0.0, =1.2.4, =1.2.4, =1.2.4, =1.2.4, =1.2.4, =1.2.4, =1.2.4, =1.2.4, =1.2.6 - ai.telosforge:kimaira-util-webclient =1.2.6 and more Source cves: CVE-2026-22737 Source advisory:...
ai.ancf.lmos:arc-graphql-spring-boot-starter (>=0.114.0 <=0.120.0), ai.ancf.lmos:arc-runner (>=0.114.0 <=0.120.0) +1424 more potentially affected by CVE-2026-22735 via org.springframework:spring-webflux (>=6.2.0 <=6.2.16)
org.springframework:spring-webflux MAVEN version =6.2.0, =0.114.0, =0.114.0, =0.5.0, =0.8.0, =1.0.0, =1.0.0, =1.2.4, =1.2.4, =1.2.4, =1.2.4, =1.2.4, =1.2.4, =1.2.4, =1.2.4, =1.2.6 - ai.telosforge:kimaira-util-webclient =1.2.6 and more Source cves: CVE-2026-22735 Source advisory:...
CVE-2026-32025
OpenClaw versions prior to 2026.2.25 contain an authentication hardening gap in browser-origin WebSocket clients that allows attackers to bypass origin checks and auth throttling on loopback deployments. An attacker can trick a user into opening a malicious webpage and perform password brute-forc...