Lucene search
K

4 matches found

Github Security Blog
Github Security Blog
added 2026/05/11 6:31 p.m.13 views

Duplicate Advisory: OpenClaw: Owner-enforced commands could accept wildcard channel senders as command owners

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-c28g-vh7m-fm7v. This link is maintained to preserve external references. Original Description OpenClaw before 2026.4.21 contains an authorization bypass vulnerability in command-auth.ts that allows non-owner...

4.2CVSS5.8AI score0.00237EPSS
Exploits0References6Affected Software1
Cvelist
Cvelist
added 2026/05/11 4:46 p.m.34 views

CVE-2026-44991 OpenClaw < 2026.4.21 - Authorization Bypass in Owner-Enforced Commands via Wildcard Channel Senders

OpenClaw before 2026.4.21 contains an authorization bypass vulnerability in command-auth.ts that allows non-owner senders to execute owner-enforced slash commands when wildcard inbound senders are configured without explicit owner allowFrom settings. Attackers can exploit this by sending commands...

4.2CVSS0.00237EPSS
Exploits0References4
Patchstack
Patchstack
added 2026/04/29 9:27 p.m.6 views

NPM: OpenClaw: Owner-enforced commands could accept wildcard channel senders as command owners

NPM: OpenClaw: Owner-enforced commands could accept wildcard channel senders as command owners vulnerability discovered by ? in WordPress Npm openclaw versions = 2026.4.20...

5.8AI score
Exploits0References4Affected Software1
OSV
OSV
added 2026/04/29 9:27 p.m.5 views

GHSA-C28G-VH7M-FM7V OpenClaw: Owner-enforced commands could accept wildcard channel senders as command owners

Impact OpenClaw deployments before 2026.4.21 could treat a non-owner sender as authorized for owner-enforced slash commands when all of the following were true: - a channel plugin declared commands.enforceOwnerForCommands: true; - the channel accepted wildcard inbound senders with allowFrom: ""; ...

5.3CVSS5.8AI score0.00237EPSS
Exploits0References6
Rows per page
Query Builder