PortSwigger Web Security: UI Consent Bypass via Comma Injection in `addAutoApproveTarget` — User-Approval Dialog and Persistence Layer Disagree on Target Scope, Yielding Authen

A vulnerability was discovered in Burp Suite MCP Server BApp v1.2.1 where the addAutoApproveTarget function failed to validate the hostnames passed to it. This allowed a malicious MCP client to inject a comma-separated hostname, which was then persisted as multiple independent allow-list entries...

OpenClaw: Zalo webhook replay cache cross-target messageId scope bypass

Summary Zalo webhook replay cache cross-target messageId scope bypass Current Maintainer Triage - Status: narrow - Normalized severity: low - Assessment: v2026.3.28 replay dedupe is still keyed too broadly, but the issue should stay scoped to authenticated sibling-target delivery paths rather tha...

GHSA-8JHH-JCQG-MJ5P OpenClaw: Channel commands could bypass account-scoped `configWrites` restrictions

Summary In affected versions of openclaw, channel-initiated config mutations were authorized against the originating account's configWrites policy but did not consistently re-check the targeted account scope. An authorized sender on one account could mutate protected sibling-account configuration...

BIT-GRAFANA-2026-21721 Dashboard Permissions Scope Bypass Enables Cross‑Dashboard Privilege Escalation

The dashboard permissions API does not verify the target dashboard scope and only checks the dashboards.permissions: action. As a result, a user who has permission management rights on one dashboard can read and modify permissions on other dashboards. This is an organization‑internal privilege...

UBUNTU-CVE-2026-21721

The dashboard permissions API does not verify the target dashboard scope and only checks the dashboards.permissions: action. As a result, a user who has permission management rights on one dashboard can read and modify permissions on other dashboards. This is an organization‑internal privilege...

CVE-2026-21721 Dashboard Permissions Scope Bypass Enables Cross‑Dashboard Privilege Escalation

The dashboard permissions API does not verify the target dashboard scope and only checks the dashboards.permissions: action. As a result, a user who has permission management rights on one dashboard can read and modify permissions on other dashboards. This is an organization‑internal privilege...

EUVD-2026-4820

The dashboard permissions API does not verify the target dashboard scope and only checks the dashboards.permissions: action. As a result, a user who has permission management rights on one dashboard can read and modify permissions on other dashboards. This is an organization‑internal privilege...

PT-2026-4878

Name of the Vulnerable Software and Affected Versions versions prior to 2026-21721 Description The dashboard permissions API does not verify the target dashboard scope, only checking the dashboards.permissions: action. This allows a user with permission management rights on one dashboard to read...