Lucene search
K

312 matches found

OSV
OSV
added 2026/03/31 11:52 p.m.5 views

GHSA-2PR2-HCV6-7GWV OpenClaw's device removal and token revocation do not terminate active WebSocket sessions

Summary Removing a device or revoking its token updated stored credentials but did not disconnect already-authenticated WebSocket sessions. Impact A revoked device could continue using its existing live session until reconnect, extending access beyond credential removal. Affected Component...

8.6CVSS5.9AI score0.00332EPSS
Exploits0References5
Snyk
Snyk
added 2026/03/31 4:51 p.m.3 views

Insufficient Session Expiration

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Insufficient Session Expiration through incomplete termination of WebSocket sessions when devices are removed or tokens are revoked. An attacker can retain unauthorized access by...

8.6CVSS5.9AI score0.00332EPSS
Exploits0References2
OSV
OSV
added 2026/03/31 3:31 p.m.4 views

GHSA-89HR-6X2P-8XJV Duplicate Advisory: OpenClaw's device removal and token revocation do not terminate active WebSocket sessions

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-2pr2-hcv6-7gwv. This link is maintained to preserve external references. Original Description OpenClaw before 2026.3.28 fails to disconnect active WebSocket sessions when devices are removed or tokens are revoke...

8.6CVSS5.8AI score0.00332EPSS
Exploits0References4
Github Security Blog
Github Security Blog
added 2026/03/31 3:31 p.m.10 views

Duplicate Advisory: OpenClaw's device removal and token revocation do not terminate active WebSocket sessions

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-2pr2-hcv6-7gwv. This link is maintained to preserve external references. Original Description OpenClaw before 2026.3.28 fails to disconnect active WebSocket sessions when devices are removed or tokens are revoke...

8.6CVSS5.8AI score0.00332EPSS
Exploits0References5Affected Software1
NVD
NVD
added 2026/03/31 3:16 p.m.3 views

CVE-2026-34503

OpenClaw before 2026.3.28 fails to disconnect active WebSocket sessions when devices are removed or tokens are revoked. Attackers with revoked credentials can maintain unauthorized access through existing live sessions until forced reconnection...

8.6CVSS0.00332EPSS
Exploits0References3
Vulnrichment
Vulnrichment
added 2026/03/31 2:10 p.m.4 views

CVE-2026-34503 OpenClaw < 2026.3.28 - Incomplete WebSocket Session Termination on Device Removal and Token Revocation

OpenClaw before 2026.3.28 fails to disconnect active WebSocket sessions when devices are removed or tokens are revoked. Attackers with revoked credentials can maintain unauthorized access through existing live sessions until forced reconnection...

8.6CVSS5.9AI score0.00332EPSS
Exploits0References3
ATTACKERKB
ATTACKERKB
added 2026/03/31 2:10 p.m.3 views

CVE-2026-34503

OpenClaw before 2026.3.28 fails to disconnect active WebSocket sessions when devices are removed or tokens are revoked. Attackers with revoked credentials can maintain unauthorized access through existing live sessions until forced reconnection...

8.6CVSS5.9AI score0.00332EPSS
Exploits0References4
CVE
CVE
added 2026/03/31 2:10 p.m.15 views

CVE-2026-34503

OpenClaw (vulnerable: before 2026.3.28) fails to terminate active WebSocket sessions when devices are removed or tokens are revoked, enabling persistence of access for revoked credentials through existing live sessions until forced reconnection. This impacts OpenClaw deployments using the affecte...

8.6CVSS5.9AI score0.00332EPSS
Exploits0References3Affected Software1
Cvelist
Cvelist
added 2026/03/31 2:10 p.m.30 views

CVE-2026-34503 OpenClaw < 2026.3.28 - Incomplete WebSocket Session Termination on Device Removal and Token Revocation

OpenClaw before 2026.3.28 fails to disconnect active WebSocket sessions when devices are removed or tokens are revoked. Attackers with revoked credentials can maintain unauthorized access through existing live sessions until forced reconnection...

8.6CVSS0.00332EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/03/31 12:0 a.m.5 views

PT-2026-29265

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.3.28 Description The software does not disconnect active WebSocket sessions when devices are removed or tokens are revoked. This allows attackers with revoked credentials to maintain unauthorized access through...

8.6CVSS5.9AI score0.00332EPSS
Exploits0References8
GithubExploit
GithubExploit
added 2026/03/11 10:33 p.m.158 views

Exploit for CVE-2026-30945

🗑️ CVE-2026-30945 StudioCMS IDOR — Arbitrary API Token Revoc...

8.8CVSS5.8AI score0.00564EPSS
Exploits4
OSV
OSV
added 2026/03/11 12:16 a.m.2 views

GHSA-8RGJ-VRFR-6HQR StudioCMS: IDOR — Arbitrary API Token Revocation Leading to Denial of Service

Summary The DELETE /studiocmsapi/dashboard/api-tokens endpoint allows any authenticated user with editor privileges or above to revoke API tokens belonging to any other user, including admin and owner accounts. The handler accepts tokenID and userID directly from the request payload without...

7.1CVSS5.9AI score0.00452EPSS
Exploits2References5
Github Security Blog
Github Security Blog
added 2026/03/11 12:16 a.m.9 views

StudioCMS: IDOR — Arbitrary API Token Revocation Leading to Denial of Service

Summary The DELETE /studiocmsapi/dashboard/api-tokens endpoint allows any authenticated user with editor privileges or above to revoke API tokens belonging to any other user, including admin and owner accounts. The handler accepts tokenID and userID directly from the request payload without...

7.1CVSS5.9AI score0.00452EPSS
Exploits2References5Affected Software1
NVD
NVD
added 2026/03/10 6:18 p.m.7 views

CVE-2026-30945

StudioCMS is a server-side-rendered, Astro native, headless content management system. Prior to 0.4.0, the DELETE /studiocmsapi/dashboard/api-tokens endpoint allows any authenticated user with editor privileges or above to revoke API tokens belonging to any other user, including admin and owner...

7.1CVSS0.00452EPSS
Exploits2References3
Cvelist
Cvelist
added 2026/03/10 4:52 p.m.30 views

CVE-2026-30945 StudioCMS: IDOR — Arbitrary API Token Revocation Leading to Denial of Service

StudioCMS is a server-side-rendered, Astro native, headless content management system. Prior to 0.4.0, the DELETE /studiocmsapi/dashboard/api-tokens endpoint allows any authenticated user with editor privileges or above to revoke API tokens belonging to any other user, including admin and owner...

7.1CVSS0.00452EPSS
Exploits2References3
Vulnrichment
Vulnrichment
added 2026/03/10 4:52 p.m.3 views

CVE-2026-30945 StudioCMS: IDOR — Arbitrary API Token Revocation Leading to Denial of Service

StudioCMS is a server-side-rendered, Astro native, headless content management system. Prior to 0.4.0, the DELETE /studiocmsapi/dashboard/api-tokens endpoint allows any authenticated user with editor privileges or above to revoke API tokens belonging to any other user, including admin and owner...

7.1CVSS5.8AI score0.00452EPSS
Exploits2References3
ATTACKERKB
ATTACKERKB
added 2026/03/10 4:52 p.m.4 views

CVE-2026-30945

StudioCMS is a server-side-rendered, Astro native, headless content management system. Prior to 0.4.0, the DELETE /studiocmsapi/dashboard/api-tokens endpoint allows any authenticated user with editor privileges or above to revoke API tokens belonging to any other user, including admin and owner...

7.1CVSS5.8AI score0.00452EPSS
Exploits2References4Affected Software1
OSV
OSV
added 2026/03/10 4:52 p.m.8 views

CVE-2026-30945 StudioCMS: IDOR — Arbitrary API Token Revocation Leading to Denial of Service

StudioCMS is a server-side-rendered, Astro native, headless content management system. Prior to 0.4.0, the DELETE /studiocmsapi/dashboard/api-tokens endpoint allows any authenticated user with editor privileges or above to revoke API tokens belonging to any other user, including admin and owner...

7.1CVSS5.8AI score0.00452EPSS
Exploits2References5
CVE
CVE
added 2026/03/10 4:52 p.m.25 views

CVE-2026-30945

CVE-2026-30945 : StudioCMS prior to 0.4.0 exposes an authorization flaw in DELETE /studiocms_api/dashboard/api-tokens. Any authenticated user with editor privileges or above can revoke API tokens for any user (including admin/owner) because tokenID and userID are taken directly from the request w...

7.1CVSS5.8AI score0.00452EPSS
Exploits2References3Affected Software1
Positive Technologies
Positive Technologies
added 2026/03/10 12:0 a.m.6 views

PT-2026-24253

Name of the Vulnerable Software and Affected Versions StudioCMS versions prior to 0.4.0 Description StudioCMS is a server-side-rendered, Astro native, headless content management system. The DELETE /studiocms api/dashboard/api-tokens API endpoint, before version 0.4.0, allows authenticated users...

7.1CVSS5.8AI score0.00452EPSS
Exploits2References6
Rows per page
Query Builder