49 matches found
Origin Validation Error
Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Origin Validation Error via the Slack thread context. An attacker can inject unauthorized messages into the agent context by replying to allowlisted users in Slack threads, thereby...
EUVD-2026-25342
OpenClaw before 2026.4.2 fails to filter Slack thread context by sender allowlist, allowing non-allowlisted messages to enter agent context. Attackers can inject unauthorized thread messages through allowlisted user replies to bypass sender access controls and manipulate model context...
Duplicate Advisory: OpenClaw: Slack thread context could include messages from non-allowlisted senders
Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-qm77-8qjp-4vcm. This link is maintained to preserve external references. Original Description OpenClaw before 2026.4.2 fails to filter Slack thread context by sender allowlist, allowing non-allowlisted messages ...
CVE-2026-41358
OpenClaw before 2026.4.2 fails to filter Slack thread context by sender allowlist, allowing non-allowlisted messages to enter agent context. Attackers can inject unauthorized thread messages through allowlisted user replies to bypass sender access controls and manipulate model context...
CVE-2026-41358
OpenClaw before 2026.4.2 fails to filter Slack thread context by sender allowlist, allowing non-allowlisted messages to enter agent context. Attackers can inject unauthorized thread messages through allowlisted user replies to bypass sender access controls and manipulate model context...
CVE-2026-41358 OpenClaw < 2026.4.2 - Sender Allowlist Bypass via Slack Thread Context
OpenClaw before 2026.4.2 fails to filter Slack thread context by sender allowlist, allowing non-allowlisted messages to enter agent context. Attackers can inject unauthorized thread messages through allowlisted user replies to bypass sender access controls and manipulate model context...
OpenClaw 访问控制错误漏洞
OpenClaw is an open-source intelligent artificial assistant developed by OpenClaw. Versions of OpenClaw prior to 2026.4.2 contained a access control vulnerability. This vulnerability stemmed from the failure to filter Slack thread contexts based on the sender’s permission list, allowing messages...
PT-2026-34789
Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.4.2 Description OpenClaw fails to filter Slack thread context by sender allowlist, which allows messages from non-allowlisted senders to enter the agent context. This enables attackers to inject unauthorized...
CVE-2026-32911
Rejected reason: This CVE ID has been rejected...
Incorrect Authorization
Overview @openclaw/bluebubbles is an OpenClaw BlueBubbles channel plugin Affected versions of this package are vulnerable to Incorrect Authorization in the isAllowedParsedChatSender process. An attacker can gain unauthorized access to direct messaging or reaction features by sending messages from...
EUVD-2026-8750
Storybook Dev Server is Vulnerable to WebSocket Hijacking...
GHSA-MJF5-7G4M-GX5W Storybook Dev Server is Vulnerable to WebSocket Hijacking
Summary The WebSocket functionality in Storybook's dev server, used to create and update stories, is vulnerable to WebSocket hijacking. This vulnerability only affects the Storybook dev server; production builds are not impacted. Details Exploitation requires a developer to visit a malicious...
Everest-core security vulnerabilities
Everest-core is a major component of the open-source electric vehicle charging software stack developed by EVerest. Versions of Everest-core prior to 2025.9.0 contained security vulnerabilities. These vulnerabilities stemmed from validation flaws when the default value of the session ID was 0,...
PT-2026-3856
EVerest is an EV charging software stack. Prior to version 2025.9.0, once the validity of the received V2G message has been verified, it is checked whether the submitted session ID matches the registered one. However, if no session has been registered, the default value is 0. Therefore, a message...
Spring Framework 5.3.x < 5.3.46 / 6.1.x < 6.1.24 / 6.2.x < 6.2.12 STOMP CSRF (CVE-2025-41254)
The version of Spring Framework installed on the remote host is 5.3.x prior to 5.3.46, 6.1.x prior to 6.1.24, or 6.2.x prior to 6.2.12. It is, therefore, affected by a STOMP CSRF vulnerability: - STOMP over WebSocket applications may be vulnerable to a security bypass that allows an attacker to...
Google Messages 安全漏洞
Google Messages is an instant messaging application from Google, Inc USA. A security vulnerability exists in Google Messages that stems from improper handling of the ACTIONSENDTO intent, which could lead to unauthorized message sending...
GHSA-7FCH-4F2F-JCGM Spring Framework STOMP over WebSocket applications may allow attackers to send unauthorized messages
STOMP over WebSocket applications may be vulnerable to a security bypass that allows an attacker to send unauthorized messages. Affected Spring Products and Versions Spring Framework: 6.2.0 - 6.2.11 6.1.0 - 6.1.23 6.0.x - 6.0.29 5.3.0 - 5.3.45 Older, unsupported versions are also affected...
Spring Framework STOMP over WebSocket applications may allow attackers to send unauthorized messages
STOMP over WebSocket applications may be vulnerable to a security bypass that allows an attacker to send unauthorized messages. Affected Spring Products and Versions Spring Framework: 6.2.0 - 6.2.11 6.1.0 - 6.1.23 6.0.x - 6.0.29 5.3.0 - 5.3.45 Older, unsupported versions are also affected...
DEBIAN-CVE-2025-41254
STOMP over WebSocket applications may be vulnerable to a security bypass that allows an attacker to send unauthorized messages. Affected Spring Products and VersionsSpring Framework: 6.2.0 - 6.2.11 6.1.0 - 6.1.23 6.0.x - 6.0.29 5.3.0 - 5.3.45 Older, unsupported versions are also affected...
CVE-2025-41254
STOMP over WebSocket applications may be vulnerable to a security bypass that allows an attacker to send unauthorized messages. Affected Spring Products and VersionsSpring Framework: 6.2.0 - 6.2.11 6.1.0 - 6.1.23 6.0.x - 6.0.29 5.3.0 - 5.3.45 Older, unsupported versions are also affected...