CVE-2026-42073 OpenClaude's MCP OAuth Callback: State Check Bypass via error Param Leads to DoS

OpenClaude is an open-source coding-agent command line interface for cloud and local model providers. Prior to version 0.5.1, the OpenClaude MCP authentication flow starts a temporary local HTTP server to handle OAuth callbacks. To prevent CSRF attacks, the server validates a state parameter...

CVE-2026-42073

Summary: CVE-2026-42073 affects OpenClaude MCP OAuth callback flow. A logic flaw in the conditional order allows an attacker to bypass the CSRF state check when an error parameter is present, forcing the local OAuth callback server to shut down (DoS) without knowing the expected state. Affected c...

OpenClaude MCP OAuth Callback: State Check Bypass via error Param Leads to DoS

OAuth State Validation Bypass via error Parameter Causes Local Server DoS in MCP Auth Callback --- Description The OpenClaude MCP authentication flow starts a temporary local HTTP server to handle OAuth callbacks. To prevent CSRF attacks, the server validates a state parameter against an internal...

CVE-2026-28477

OpenClaw versions prior to 2026.2.14 contain an oauth state validation bypass vulnerability in the manual Chutes login flow that allows attackers to bypass CSRF protection. An attacker can convince a user to paste attacker-controlled OAuth callback data, enabling credential substitution and token...

CVE-2026-28477

CVE-2026-28477 affects OpenClaw. The vulnerability is an OAuth state validation bypass in the manual Chutes login flow, enabling an attacker to substitute credentials and persist tokens for unauthorized accounts by tricking a user into pasting attacker-controlled OAuth callback data. Impact is cr...

CVE-2026-28477 OpenClaw < 2026.2.14 - OAuth State Validation Bypass in Manual Chutes Login Flow

OpenClaw versions prior to 2026.2.14 contain an oauth state validation bypass vulnerability in the manual Chutes login flow that allows attackers to bypass CSRF protection. An attacker can convince a user to paste attacker-controlled OAuth callback data, enabling credential substitution and token...

CVE-2026-24003 EvseV2G has sequence state validation bypass

EVerest is an EV charging software stack. In versions up to and including 2025.12.1, it is possible to bypass the sequence state verification including authentication, and send requests that transition to forbidden states relative to the current one, thereby updating the current context with...

CVE-2026-24003 EvseV2G has sequence state validation bypass

EVerest is an EV charging software stack. In versions up to and including 2025.12.1, it is possible to bypass the sequence state verification including authentication, and send requests that transition to forbidden states relative to the current one, thereby updating the current context with...

net: bridge: fix use-after-free due to MST port state bypass

...

DEBIAN-CVE-2025-40297

In the Linux kernel, the following vulnerability has been resolved: net: bridge: fix use-after-free due to MST port state bypass syzbot reported1 a use-after-free when deleting an expired fdb. It is due to a race condition between learning still happening and a port being deleted, after all its...

CVE-2025-40297 net: bridge: fix use-after-free due to MST port state bypass

In the Linux kernel, the following vulnerability has been resolved: net: bridge: fix use-after-free due to MST port state bypass syzbot reported1 a use-after-free when deleting an expired fdb. It is due to a race condition between learning still happening and a port being deleted, after all its...

CVE-2025-40297

The CVE-2025-40297 fix applies to the Linux kernel net/bridge code. It addresses a use-after-free race that could occur when deleting an expired fdb if MST is enabled. The race happens between ongoing learning and port deletion, where the port state is disabled but MST can bypass the port state, ...

Linux kernel 安全漏洞

Linux kernel is the kernel used by Linux, the open source operating system of the Linux Foundation in the United States. A security vulnerability exists in Linux kernel that stems from an MST port state bypass that could lead to reuse after release...

CVE-2020-12745

An issue was discovered on Samsung mobile devices with Q10.0 software. Attackers can bypass the locked-state protection mechanism and access clipboard content via USSD. The Samsung ID is SVE-2019-16556 May 2020...

CVE-2020-12745

An issue was discovered on Samsung mobile devices with Q10.0 software. Attackers can bypass the locked-state protection mechanism and access clipboard content via USSD. The Samsung ID is SVE-2019-16556 May 2020...