CVE-2026-49277

CVE-2026-49277 affects Rocket.Chat. Before versions 8.5.0, 8.4.2, 8.3.4, 8.2.4, 8.1.5, 8.0.6, 7.13.8, and 7.10.12, deactivated users’ OAuth bearer and refresh tokens were not revoked: a deactivated user could continue using an existing access token and could mint a new access token from a refresh...

CVE-2026-45757

Rocket.Chat before versions 8.5.0, 8.4.2, 8.3.4, 8.2.4, 8.1.5, 8.0.6, 7.13.8, and 7.10.12 allowed users marked inactive by users.deactivateIdle to continue using already-issued login tokens. An administrator-stopped idle users could still access authenticated REST endpoints with the old token. Th...

CVE-2026-45757 Rocket.Chat: users.deactivateIdle` deactivates accounts without revoking existing login tokens

Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to 8.5.0, 8.4.2, 8.3.4, 8.2.4, 8.1.5, 8.0.6, 7.13.8, and 7.10.12, Rocket.Chat allows users deactivated through users.deactivateIdle to keep using already-issued login tokens. A user that an administrator has...

CVE-2026-53926

NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, revokeAllOAuthTokensByUser in the users service is an empty stub being called from passwordChange, passwordForgot, and passwordReset. OAuth access and refresh tokens were not revoked when the user changed, reset, or...

CVE-2026-53926 NocoDB: OAuth Tokens Persist Through Security Events

NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, revokeAllOAuthTokensByUser in the users service is an empty stub being called from passwordChange, passwordForgot, and passwordReset. OAuth access and refresh tokens were not revoked when the user changed, reset, or...

CVE-2026-53926

NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, revokeAllOAuthTokensByUser in the users service is an empty stub being called from passwordChange, passwordForgot, and passwordReset. OAuth access and refresh tokens were not revoked when the user changed, reset, or...

CVE-2026-53926

NocoDB vulnerability CVE-2026-53926: prior to 2026.05.1, revokeAllOAuthTokensByUser was an empty stub used by passwordChange, passwordForgot, and passwordReset, so OAuth access and refresh tokens were not revoked after a password change/reset, allowing an attacker-issued token to remain valid. Th...

CVE-2026-54305 n8n: Cross-Tenant Credential Takeover via Dynamic Credentials EE Endpoints

n8n is an open source workflow automation platform. Prior to 1.123.55, 2.25.7, and 2.26.2, three EE endpoints used by the Dynamic Credentials feature accepted any authenticated n8n session without performing per-resource ownership or scope checks on the target workflow or credential. An...

USN-8447-3: Google Guest Agent vulnerabilities

USN-8447-1 fixed vulnerabilities in Go Cryptography. This update provides the corresponding updates for Go Cryptography code embedded in Google Guest Agent. Original advisory details: It was discovered that Go Cryptography did not properly handle SSH global request responses. A remote attacker...

USN-8447-3 google-guest-agent vulnerabilities

USN-8447-1 fixed vulnerabilities in Go Cryptography. This update provides the corresponding updates for Go Cryptography code embedded in Google Guest Agent. Original advisory details: It was discovered that Go Cryptography did not properly handle SSH global request responses. A remote attacker...

CVE-2026-9162

Mattermost versions 11.7.x = 11.7.0, 11.6.x = 11.6.2, 11.5.x = 11.5.5, 10.11.x = 10.11.17 fail to invalidate cached authentication state for active WebSocket connections during global session revocation, which allows a user with an existing WebSocket connection to remain authenticated and continu...

CVE-2026-9162

Mattermost versions 11.7.x = 11.7.0, 11.6.x = 11.6.2, 11.5.x = 11.5.5, 10.11.x = 10.11.17 fail to invalidate cached authentication state for active WebSocket connections during global session revocation, which allows a user with an existing WebSocket connection to remain authenticated and continu...

CVE-2026-9162

Mattermost vulnerability CVE-2026-9162 affects Mattermost versions 11.7.x ≤ 11.7.0, 11.6.x ≤ 11.6.2, 11.5.x ≤ 11.5.5, 10.11.x ≤ 10.11.17. The issue: global session revocation does not invalidate cached authentication state for active WebSocket connections, allowing a user with an existing WebSock...

CVE-2026-9162 Global session revocation does not invalidate active WebSocket connections

Mattermost versions 11.7.x = 11.7.0, 11.6.x = 11.6.2, 11.5.x = 11.5.5, 10.11.x = 10.11.17 fail to invalidate cached authentication state for active WebSocket connections during global session revocation, which allows a user with an existing WebSocket connection to remain authenticated and continu...

EUVD-2026-38247

Mattermost versions 11.7.x = 11.7.0, 11.6.x = 11.6.2, 11.5.x = 11.5.5, 10.11.x = 10.11.17 fail to invalidate cached authentication state for active WebSocket connections during global session revocation, which allows a user with an existing WebSocket connection to remain authenticated and continu...

PT-2026-51322

Name of the Vulnerable Software and Affected Versions Mattermost versions 10.11.x through 10.11.17 Mattermost versions 11.5.x through 11.5.5 Mattermost versions 11.6.x through 11.6.2 Mattermost versions 11.7.x through 11.7.0 Description An issue exists where the system fails to invalidate cached...

Ubuntu 16.04 LTS / 18.04 LTS / 20.04 LTS / 22.04 LTS / 24.04 LTS / 26.04 LTS : Go Cryptography vulnerabilities (USN-8447-1)

The remote Ubuntu 16.04 LTS / 18.04 LTS / 20.04 LTS / 22.04 LTS / 24.04 LTS / 26.04 LTS host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-8447-1 advisory. It was discovered that Go Cryptography did not properly handle SSH global request responses. ...

GHSA-C36X-H252-G9X2 OpenBao: Cross-namespace lease revocation/renewal via canonical sys/leases/{revoke,renew} — incomplete fix of CVE-2026-45808

Summary OpenBao users with access to the sys/leases/revoke/:leaseid endpoint in any namespace can revoke leases in any other namespace as long as the lease identifier is known to them, bypassing ACLs that should apply for cross-namespace revocations. Impact OpenBao's namespaces provide multi-tena...

Astra Linux – Vulnerability in curl

Curl versions 7.41.0 through 7.73.0 are vulnerable to a flaw related to improper checks for certificate revocation, due to insufficient verification of the OCSP response...

Astra Linux – Vulnerability in mbedtls

A issue was discovered in Arm Mbed TLS before version 2.24.0. The function mbedtlsx509crlparseder has a buffer over-read of one byte...