15 matches found
CVE-2026-6334 OAuth authorization code client binding not enforced during token redemption in Mattermost
Mattermost versions 11.5.x = 11.5.1, 10.11.x = 10.11.13 fail to enforce client identity binding during the OAuth authorization code redemption flow which allows an authenticated OAuth client to redeem authorization codes issued to a different client via a crafted token exchange request.. Mattermo...
CVE-2026-6334 OAuth authorization code client binding not enforced during token redemption in Mattermost
Mattermost versions 11.5.x = 11.5.1, 10.11.x = 10.11.13 fail to enforce client identity binding during the OAuth authorization code redemption flow which allows an authenticated OAuth client to redeem authorization codes issued to a different client via a crafted token exchange request.. Mattermo...
GHSA-9JPJ-G8VV-J5MF OpenClaw: Gemini OAuth exposed the PKCE verifier through the OAuth state parameter
Summary Before OpenClaw 2026.4.2, the Gemini OAuth flow reused the PKCE verifier as the OAuth state value. Because the provider reflected state back in the redirect URL, the verifier could be exposed alongside the authorization code. Impact Anyone who could capture the redirect URL could learn bo...
GHSA-CH86-PXR9-J9H9 Duplicate Advisory: OpenClaw: Gemini OAuth exposed the PKCE verifier through the OAuth state parameter
Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-9jpj-g8vv-j5mf. This link is maintained to preserve external references. Original Description OpenClaw before 2026.4.2 reuses the PKCE verifier as the OAuth state parameter in the Gemini OAuth flow, exposing it...
Duplicate Advisory: OpenClaw: Gemini OAuth exposed the PKCE verifier through the OAuth state parameter
Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-9jpj-g8vv-j5mf. This link is maintained to preserve external references. Original Description OpenClaw before 2026.4.2 reuses the PKCE verifier as the OAuth state parameter in the Gemini OAuth flow, exposing it...
CVE-2026-34511
OpenClaw before 2026.4.2 reuses the PKCE verifier as the OAuth state parameter in the Gemini OAuth flow, exposing it through the redirect URL. Attackers who capture the redirect URL can obtain both the authorization code and PKCE verifier, defeating PKCE protection and enabling token redemption...
CVE-2026-34511 OpenClaw < 2026.4.2 - PKCE Verifier Exposure via OAuth State Parameter
OpenClaw before 2026.4.2 reuses the PKCE verifier as the OAuth state parameter in the Gemini OAuth flow, exposing it through the redirect URL. Attackers who capture the redirect URL can obtain both the authorization code and PKCE verifier, defeating PKCE protection and enabling token redemption...
Token Loss on Failed Destination Chain Call
Lines of code Vulnerability details Impact The burnAndCallAxelar function allows users to burn tokens from their account with the intention of executing a cross-chain call. However, the tokens are burned before the cross-chain call is attempted. If the cross-chain call fails on the destination...
M-07 Unmitigated
Lines of code Vulnerability details Original Issue code-423n4/2023-06-angle-findings8 Details This issue shows users may get fewer tokens than expected when the collateral list order changes. As mitigation, it recommends checking the length of minAmountsOut and ts.collateralList as well as the...
Custom redemption might revert if old assets were unregistered
Lines of code Vulnerability details quoteCustomRedemption works under the assumption that the maximum size of the erc20sAll should be assetRegistry.size, however there can be cases where an asset was unregistered but still exists in an old basket, making the size of the old basket greater than...
Loss of precision will lock portions of tokens
Lines of code Vulnerability details Impact When the initial balance of a redemption reward token is smaller than the base, small amounts of the token will be rounded down to zero, meaning small-amount users will get nothing for redeeming tokens. Broken accounting means high severity Proof of...
Some fund could be locked in the project forever because only contributors but not project token holders can redeem
Lines of code Vulnerability details Some fund could be locked in the project forever because only contributors but not project token holders can redeem Impact Once the contributor transfered the project tokens to someone elsein some DEX maybe, these tokens could never be redeemed. One of the...
An attacker can make users' funds get "locked" in the contract (the owner can get them out and transfer them back to the users)
Lines of code Vulnerability details Impact If a user manages to be the first user to deposit into the contract, he will be minted shares and he can steal all the other users' deposits. Proof of Concept 1. The attacker deposits 1 token into the contract and 1 share is minted to him totalSupply and...
[WP-H1] A malicious early user/attacker can manipulate the vault's pricePerShare to take an unfair share of future users' deposits
Lines of code Vulnerability details This is a well-known attack vector for new contracts that utilize pricePerShare for accounting. / @notice Calculates the number of shares that should be minted or burnt when a user deposit or withdraw. @param tokens Amount of asset tokens @return Number of...
getPseudoRand can be predicted
Handle @cmichelio Vulnerability details Vulnerability Details The NFTXVaultUpgradeable.getPseudoRand is not really random and can be predicted. It's also easy to make sure that one gets the correct token by having a smart contract simulate the randomness logic before the call to redeem / swap...