Incorrect Authorization

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Incorrect Authorization via the assistant-media route. An attacker can access protected media files and metadata by bypassing HTTP authentication path scope validation. Remediation Upgrad...

EUVD-2026-25274

OpenClaw before 2026.4.20 contains a scope enforcement bypass vulnerability in the assistant-media route that allows trusted-proxy callers without operator.read scope to access protected assistant-media files and metadata. Attackers can bypass identity-bearing HTTP auth path scope validation to...

GHSA-QGX9-6PX9-7P75 Duplicate Advisory: OpenClaw: Assistant media route missed scope enforcement for trusted-proxy authorization

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-v8qf-fr4g-28p2. This link is maintained to preserve external references. Original Description OpenClaw before 2026.4.20 contains a scope enforcement bypass vulnerability in the assistant-media route that allows...

CVE-2026-41908

OpenClaw before 2026.4.20 contains a scope enforcement bypass vulnerability in the assistant-media route that allows trusted-proxy callers without operator.read scope to access protected assistant-media files and metadata. Attackers can bypass identity-bearing HTTP auth path scope validation to...

CVE-2026-41908 OpenClaw < 2026.4.20 - Scope Enforcement Bypass in Assistant-Media Route

OpenClaw before 2026.4.20 contains a scope enforcement bypass vulnerability in the assistant-media route that allows trusted-proxy callers without operator.read scope to access protected assistant-media files and metadata. Attackers can bypass identity-bearing HTTP auth path scope validation to...

CVE-2026-41908

OpenClaw before 2026.4.20 contains a scope enforcement bypass vulnerability in the assistant-media route that allows trusted-proxy callers without operator.read scope to access protected assistant-media files and metadata. Attackers can bypass identity-bearing HTTP auth path scope validation to...

CVE-2026-41908 OpenClaw < 2026.4.20 - Scope Enforcement Bypass in Assistant-Media Route

OpenClaw before 2026.4.20 contains a scope enforcement bypass vulnerability in the assistant-media route that allows trusted-proxy callers without operator.read scope to access protected assistant-media files and metadata. Attackers can bypass identity-bearing HTTP auth path scope validation to...

PT-2026-34709

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.4.20 Description A scope enforcement bypass exists in the 'assistant-media' route. This allows trusted-proxy callers who lack the operator.read scope to bypass identity-bearing HTTP auth path scope validation...

OpenClaw 安全漏洞

OpenClaw is an open-source intelligent artificial assistant developed by OpenClaw. Versions of OpenClaw prior to 2026.4.20 contained security vulnerabilities. These vulnerabilities stemmed from a range execution bypass vulnerability in the assistant-media routing mechanism. This vulnerability...

CVE-2025-13498 Download Manager <= 3.3.32 - Missing Authorization to Authenticated (Subscriber+) Media Attachment Password Disclosure

The Download Manager plugin for WordPress is vulnerable to unauthorized access of sensitive information in all versions up to, and including, 3.3.32. This is due to missing authorization and capability checks on the wpdmmediaaccess AJAX action. This makes it possible for authenticated attackers,...

PT-2025-51998

Name of the Vulnerable Software and Affected Versions Download Manager plugin for WordPress versions prior to 3.3.33 Description The Download Manager plugin for WordPress is susceptible to unauthorized access of sensitive information. This is caused by missing authorization and capability checks ...

EUVD-2023-0054

Malicious code in bioql PyPI...

American Archive of Public Broadcasting allowed access to restricted media for years

A security flaw in the American Archive of Public Broadcasting AAPB website allowed unauthorized access to protected and private media, according to BleepingComputer. The American Archive of Public Broadcasting AAPB is a collaborative initiative between the Library of Congress and WGBH Educationa...

CVE-2021-46897

views.py in Wagtail CRX CodeRed Extensions formerly CodeRed CMS or coderedcms before 0.22.3 allows upward protected/..%2f..%2f path traversal when serving protected media...

PYSEC-2023-210

views.py in Wagtail CRX CodeRed Extensions formerly CodeRed CMS or coderedcms before 0.22.3 allows upward protected/..%2f..%2f path traversal when serving protected media...

PYSEC-2023-210

views.py in Wagtail CRX CodeRed Extensions formerly CodeRed CMS or coderedcms before 0.22.3 allows upward protected/..%2f..%2f path traversal when serving protected media...

Path traversal

views.py in Wagtail CRX CodeRed Extensions formerly CodeRed CMS or coderedcms before 0.22.3 allows upward protected/..%2f..%2f path traversal when serving protected media...

Torchbox Wagtail Path Traversal Vulnerability

Torchbox Wagtail is an open source content management system CMS from Torchbox UK. A security vulnerability exists in Wagtail CRX CodeRed Extensions CodeRed CMS/coderedcms versions prior to 0.22.3, which stems from a path traversal allowed by views.py when serving protected media...

PT-2023-12617 · Unknown · Wagtail Crx Codered Extensions

Name of the Vulnerable Software and Affected Versions: Wagtail CRX CodeRed Extensions versions prior to 0.22.3 Description: The issue allows upward protected/..%2f..%2f path traversal when serving protected media. This is due to a problem in views.py. Recommendations: For versions prior to 0.22.3...