Lucene search
K

2076 matches found

ATTACKERKB
ATTACKERKB
added 2026/04/01 9:30 p.m.3 views

CVE-2026-34570

CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application fails to immediately revoke active user sessions when an account is deleted. Due to a logic flaw in the backend...

10CVSS5.8AI score0.00502EPSS
Exploits1References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/01 9:11 p.m.6 views

openssl-encrypt has no owner verification on key revocation — any client can revoke any key

Summary The revokekey method in opensslencryptserver/modules/keyserver/service.py at lines 195-270 accepts a clientid parameter but never verifies that the requesting client is the same as key.ownerclientid. Impact Any authenticated client can revoke any other client's key, as long as they provid...

5.9AI score
Exploits0References3Affected Software1
OSV
OSV
added 2026/04/01 9:11 p.m.1 views

GHSA-HVC7-763R-4F3H openssl-encrypt has no owner verification on key revocation — any client can revoke any key

Summary The revokekey method in opensslencryptserver/modules/keyserver/service.py at lines 195-270 accepts a clientid parameter but never verifies that the requesting client is the same as key.ownerclientid. Impact Any authenticated client can revoke any other client's key, as long as they provid...

8.7CVSS5.9AI score
Exploits0References3
RedhatCVE
RedhatCVE
added 2026/04/01 5:3 p.m.2 views

CVE-2026-34503

OpenClaw before 2026.3.28 fails to disconnect active WebSocket sessions when devices are removed or tokens are revoked. Attackers with revoked credentials can maintain unauthorized access through existing live sessions until forced reconnection...

8.6CVSS5.9AI score0.00332EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/04/01 12:0 a.m.4 views

PT-2026-29816

Name of the Vulnerable Software and Affected Versions listmonk versions 4.1.0 through 6.0.0 Description listmonk, a self-hosted newsletter and mailing list manager, has a session management issue. Previously issued authenticated sessions remain valid after sensitive account security changes, such...

7.1CVSS5.9AI score0.003EPSS
Exploits2References7
Positive Technologies
Positive Technologies
added 2026/04/01 12:0 a.m.6 views

PT-2026-29636

Name of the Vulnerable Software and Affected Versions CI4MS versions prior to 0.31.0.0 Description The application does not immediately revoke active user sessions when an account is deactivated. This is due to a logic flaw where account state changes are only enforced during login, not for...

8.8CVSS5.9AI score0.00502EPSS
Exploits1References6
Positive Technologies
Positive Technologies
added 2026/04/01 12:0 a.m.5 views

PT-2026-29634

Name of the Vulnerable Software and Affected Versions CI4MS versions prior to 0.31.0.0 Description The application does not immediately revoke active user sessions when an account is deleted. This is due to a logic flaw where account state changes are only enforced during login, not for existing...

10CVSS5.9AI score0.00502EPSS
Exploits1References7
Github Security Blog
Github Security Blog
added 2026/03/31 11:52 p.m.6 views

OpenClaw's device removal and token revocation do not terminate active WebSocket sessions

Summary Removing a device or revoking its token updated stored credentials but did not disconnect already-authenticated WebSocket sessions. Impact A revoked device could continue using its existing live session until reconnect, extending access beyond credential removal. Affected Component...

8.6CVSS5.9AI score0.00332EPSS
Exploits0References5Affected Software1
OSV
OSV
added 2026/03/31 11:52 p.m.3 views

GHSA-2PR2-HCV6-7GWV OpenClaw's device removal and token revocation do not terminate active WebSocket sessions

Summary Removing a device or revoking its token updated stored credentials but did not disconnect already-authenticated WebSocket sessions. Impact A revoked device could continue using its existing live session until reconnect, extending access beyond credential removal. Affected Component...

8.6CVSS5.9AI score0.00332EPSS
Exploits0References5
Snyk
Snyk
added 2026/03/31 4:51 p.m.2 views

Insufficient Session Expiration

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Insufficient Session Expiration through incomplete termination of WebSocket sessions when devices are removed or tokens are revoked. An attacker can retain unauthorized access by...

8.6CVSS5.9AI score0.00332EPSS
Exploits0References2
Github Security Blog
Github Security Blog
added 2026/03/31 3:31 p.m.9 views

Duplicate Advisory: OpenClaw's device removal and token revocation do not terminate active WebSocket sessions

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-2pr2-hcv6-7gwv. This link is maintained to preserve external references. Original Description OpenClaw before 2026.3.28 fails to disconnect active WebSocket sessions when devices are removed or tokens are revoke...

8.6CVSS5.8AI score0.00332EPSS
Exploits0References5Affected Software1
OSV
OSV
added 2026/03/31 3:31 p.m.3 views

GHSA-89HR-6X2P-8XJV Duplicate Advisory: OpenClaw's device removal and token revocation do not terminate active WebSocket sessions

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-2pr2-hcv6-7gwv. This link is maintained to preserve external references. Original Description OpenClaw before 2026.3.28 fails to disconnect active WebSocket sessions when devices are removed or tokens are revoke...

8.6CVSS5.8AI score0.00332EPSS
Exploits0References4
NVD
NVD
added 2026/03/31 3:16 p.m.3 views

CVE-2026-34503

OpenClaw before 2026.3.28 fails to disconnect active WebSocket sessions when devices are removed or tokens are revoked. Attackers with revoked credentials can maintain unauthorized access through existing live sessions until forced reconnection...

8.6CVSS0.00332EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/03/31 2:10 p.m.27 views

CVE-2026-34503 OpenClaw < 2026.3.28 - Incomplete WebSocket Session Termination on Device Removal and Token Revocation

OpenClaw before 2026.3.28 fails to disconnect active WebSocket sessions when devices are removed or tokens are revoked. Attackers with revoked credentials can maintain unauthorized access through existing live sessions until forced reconnection...

8.6CVSS0.00332EPSS
Exploits0References3
Vulnrichment
Vulnrichment
added 2026/03/31 2:10 p.m.4 views

CVE-2026-34503 OpenClaw < 2026.3.28 - Incomplete WebSocket Session Termination on Device Removal and Token Revocation

OpenClaw before 2026.3.28 fails to disconnect active WebSocket sessions when devices are removed or tokens are revoked. Attackers with revoked credentials can maintain unauthorized access through existing live sessions until forced reconnection...

8.6CVSS5.9AI score0.00332EPSS
Exploits0References3
ATTACKERKB
ATTACKERKB
added 2026/03/31 2:10 p.m.3 views

CVE-2026-34503

OpenClaw before 2026.3.28 fails to disconnect active WebSocket sessions when devices are removed or tokens are revoked. Attackers with revoked credentials can maintain unauthorized access through existing live sessions until forced reconnection...

8.6CVSS5.9AI score0.00332EPSS
Exploits0References4
CVE
CVE
added 2026/03/31 2:10 p.m.11 views

CVE-2026-34503

OpenClaw (vulnerable: before 2026.3.28) fails to terminate active WebSocket sessions when devices are removed or tokens are revoked, enabling persistence of access for revoked credentials through existing live sessions until forced reconnection. This impacts OpenClaw deployments using the affecte...

8.6CVSS5.9AI score0.00332EPSS
Exploits0References3Affected Software1
Positive Technologies
Positive Technologies
added 2026/03/31 12:0 a.m.4 views

PT-2026-29265

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.3.28 Description The software does not disconnect active WebSocket sessions when devices are removed or tokens are revoked. This allows attackers with revoked credentials to maintain unauthorized access through...

8.6CVSS5.9AI score0.00332EPSS
Exploits0References8
Snyk
Snyk
added 2026/03/30 10:36 p.m.3 views

Improper Verification of Cryptographic Signature

Overview Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature in the OCSP response validation process. An attacker can bypass certificate revocation checks by providing a forged OCSP response, potentially enabling man-in-the-middle attacks...

8.2CVSS5.9AI score0.00154EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2026/03/30 8:36 p.m.3 views

CVE-2026-32883 Botan: Missing OCSP Response Signature Verification Allows MitM Certificate Revocation Bypass

Botan is a C++ cryptography library. From version 3.0.0 to before version 3.11.0, during X509 path validation, OCSP responses were checked for an appropriate status code, but critically omitted verifying the signature of the OCSP response itself. This issue has been patched in version 3.11.0...

5.9CVSS5.8AI score0.00154EPSS
Exploits0References1
Rows per page
Query Builder