10 matches found
EUVD-2026-38228
The Azure Active Directory AAD authentication implementation contained multiple weaknesses in its OAuth 2.0 authorization flow that could allow attackers to bypass important security guarantees provided by the protocol. The application used the PHP session identifier sessionid as the OAuth state...
CVE-2026-41371
OpenClaw before 2026.3.28 contains a privilege escalation vulnerability in chat.send that allows write-scoped gateway callers to trigger admin-only session reset operations. Attackers can rotate target sessions, archive prior transcript state, and force new session IDs without requiring admin sco...
CVE-2026-41371
OpenClaw before 2026.3.28 contains a privilege escalation vulnerability in chat.send that allows write-scoped gateway callers to trigger admin-only session reset operations. Attackers can rotate target sessions, archive prior transcript state, and force new session IDs without requiring admin sco...
CVE-2026-41371 OpenClaw < 2026.3.28 - Privilege Escalation via chat.send Reset Command
OpenClaw before 2026.3.28 contains a privilege escalation vulnerability in chat.send that allows write-scoped gateway callers to trigger admin-only session reset operations. Attackers can rotate target sessions, archive prior transcript state, and force new session IDs without requiring admin sco...
CVE-2026-41371 OpenClaw < 2026.3.28 - Privilege Escalation via chat.send Reset Command
OpenClaw before 2026.3.28 contains a privilege escalation vulnerability in chat.send that allows write-scoped gateway callers to trigger admin-only session reset operations. Attackers can rotate target sessions, archive prior transcript state, and force new session IDs without requiring admin sco...
OpenClaw Gateway `operator.write` can reach admin-only session reset via `chat.send` `/reset`
Summary The chat.send path reused command authorization to trigger /reset session rotation even though direct session reset is an admin-only control-plane operation. Impact A write-scoped gateway caller could rotate a target session, archive the prior transcript state, and force a new session id...
2025 in Review: A Year of Smarter, Context-Aware API Security
As the year draws to a close, it’s worth pausing to look back on what has been an extraordinary year for Wallarm and, more importantly, for the businesses we protect. If 2024 was about laying the groundwork tracking API sessions to understand behavioral attacks, then 2025 was the year we built up...
CVE-2025-34269
Nagios Fusion versions prior to R2.1 contain a vulnerability due to the application not requiring re-authentication or session rotation when a user has enabled two-factor authentication 2FA. As a result, an adversary who has obtained a valid session could continue using the active session after t...
CVE-2025-34269
...
CVE-2025-34269
This CVE-2025-34269 entry concerns Nagios Fusion prior to R2.1, where the application does not require re-authentication or session rotation after a user enables 2FA. A valid session may persist after 2FA is enabled, enabling potential persistent account takeover and undermining the legitimate us...