312 matches found
GHSA-2PR2-HCV6-7GWV OpenClaw's device removal and token revocation do not terminate active WebSocket sessions
Summary Removing a device or revoking its token updated stored credentials but did not disconnect already-authenticated WebSocket sessions. Impact A revoked device could continue using its existing live session until reconnect, extending access beyond credential removal. Affected Component...
Insufficient Session Expiration
Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Insufficient Session Expiration through incomplete termination of WebSocket sessions when devices are removed or tokens are revoked. An attacker can retain unauthorized access by...
GHSA-89HR-6X2P-8XJV Duplicate Advisory: OpenClaw's device removal and token revocation do not terminate active WebSocket sessions
Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-2pr2-hcv6-7gwv. This link is maintained to preserve external references. Original Description OpenClaw before 2026.3.28 fails to disconnect active WebSocket sessions when devices are removed or tokens are revoke...
Duplicate Advisory: OpenClaw's device removal and token revocation do not terminate active WebSocket sessions
Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-2pr2-hcv6-7gwv. This link is maintained to preserve external references. Original Description OpenClaw before 2026.3.28 fails to disconnect active WebSocket sessions when devices are removed or tokens are revoke...
CVE-2026-34503
OpenClaw before 2026.3.28 fails to disconnect active WebSocket sessions when devices are removed or tokens are revoked. Attackers with revoked credentials can maintain unauthorized access through existing live sessions until forced reconnection...
CVE-2026-34503 OpenClaw < 2026.3.28 - Incomplete WebSocket Session Termination on Device Removal and Token Revocation
OpenClaw before 2026.3.28 fails to disconnect active WebSocket sessions when devices are removed or tokens are revoked. Attackers with revoked credentials can maintain unauthorized access through existing live sessions until forced reconnection...
CVE-2026-34503
OpenClaw before 2026.3.28 fails to disconnect active WebSocket sessions when devices are removed or tokens are revoked. Attackers with revoked credentials can maintain unauthorized access through existing live sessions until forced reconnection...
CVE-2026-34503
OpenClaw (vulnerable: before 2026.3.28) fails to terminate active WebSocket sessions when devices are removed or tokens are revoked, enabling persistence of access for revoked credentials through existing live sessions until forced reconnection. This impacts OpenClaw deployments using the affecte...
CVE-2026-34503 OpenClaw < 2026.3.28 - Incomplete WebSocket Session Termination on Device Removal and Token Revocation
OpenClaw before 2026.3.28 fails to disconnect active WebSocket sessions when devices are removed or tokens are revoked. Attackers with revoked credentials can maintain unauthorized access through existing live sessions until forced reconnection...
PT-2026-29265
Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.3.28 Description The software does not disconnect active WebSocket sessions when devices are removed or tokens are revoked. This allows attackers with revoked credentials to maintain unauthorized access through...
Exploit for CVE-2026-30945
🗑️ CVE-2026-30945 StudioCMS IDOR — Arbitrary API Token Revoc...
GHSA-8RGJ-VRFR-6HQR StudioCMS: IDOR — Arbitrary API Token Revocation Leading to Denial of Service
Summary The DELETE /studiocmsapi/dashboard/api-tokens endpoint allows any authenticated user with editor privileges or above to revoke API tokens belonging to any other user, including admin and owner accounts. The handler accepts tokenID and userID directly from the request payload without...
StudioCMS: IDOR — Arbitrary API Token Revocation Leading to Denial of Service
Summary The DELETE /studiocmsapi/dashboard/api-tokens endpoint allows any authenticated user with editor privileges or above to revoke API tokens belonging to any other user, including admin and owner accounts. The handler accepts tokenID and userID directly from the request payload without...
CVE-2026-30945
StudioCMS is a server-side-rendered, Astro native, headless content management system. Prior to 0.4.0, the DELETE /studiocmsapi/dashboard/api-tokens endpoint allows any authenticated user with editor privileges or above to revoke API tokens belonging to any other user, including admin and owner...
CVE-2026-30945 StudioCMS: IDOR — Arbitrary API Token Revocation Leading to Denial of Service
StudioCMS is a server-side-rendered, Astro native, headless content management system. Prior to 0.4.0, the DELETE /studiocmsapi/dashboard/api-tokens endpoint allows any authenticated user with editor privileges or above to revoke API tokens belonging to any other user, including admin and owner...
CVE-2026-30945 StudioCMS: IDOR — Arbitrary API Token Revocation Leading to Denial of Service
StudioCMS is a server-side-rendered, Astro native, headless content management system. Prior to 0.4.0, the DELETE /studiocmsapi/dashboard/api-tokens endpoint allows any authenticated user with editor privileges or above to revoke API tokens belonging to any other user, including admin and owner...
CVE-2026-30945
StudioCMS is a server-side-rendered, Astro native, headless content management system. Prior to 0.4.0, the DELETE /studiocmsapi/dashboard/api-tokens endpoint allows any authenticated user with editor privileges or above to revoke API tokens belonging to any other user, including admin and owner...
CVE-2026-30945 StudioCMS: IDOR — Arbitrary API Token Revocation Leading to Denial of Service
StudioCMS is a server-side-rendered, Astro native, headless content management system. Prior to 0.4.0, the DELETE /studiocmsapi/dashboard/api-tokens endpoint allows any authenticated user with editor privileges or above to revoke API tokens belonging to any other user, including admin and owner...
CVE-2026-30945
CVE-2026-30945 : StudioCMS prior to 0.4.0 exposes an authorization flaw in DELETE /studiocms_api/dashboard/api-tokens. Any authenticated user with editor privileges or above can revoke API tokens for any user (including admin/owner) because tokenID and userID are taken directly from the request w...
PT-2026-24253
Name of the Vulnerable Software and Affected Versions StudioCMS versions prior to 0.4.0 Description StudioCMS is a server-side-rendered, Astro native, headless content management system. The DELETE /studiocms api/dashboard/api-tokens API endpoint, before version 0.4.0, allows authenticated users...