Lucene search
K

24 matches found

Cvelist
Cvelist
added 2026/05/29 3:9 p.m.34 views

CVE-2026-34507 OpenClaw < 2026.4.29 - Policy Bypass in QQBot Admin Commands via DM-only and allowFrom Checks

OpenClaw before 2026.4.29 contains a policy bypass vulnerability in QQBot admin commands that allows authenticated senders to skip DM-only and allowFrom policy checks. Attackers can route admin commands from unauthorized senders or contexts to execute restricted behavior that policy should have...

5.4CVSS0.00148EPSS
Exploits0References2
EUVD
EUVD
added 2026/05/29 3:9 p.m.18 views

EUVD-2026-33334

OpenClaw before 2026.4.29 contains a policy bypass vulnerability in QQBot admin commands that allows authenticated senders to skip DM-only and allowFrom policy checks. Attackers can route admin commands from unauthorized senders or contexts to execute restricted behavior that policy should have...

5.4CVSS5.9AI score0.00148EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2026/04/20 11:8 p.m.4 views

CVE-2026-41331

OpenClaw before 2026.3.31 contains a resource consumption vulnerability in Telegram audio preflight transcription that allows unauthorized group senders to trigger transcription processing. Attackers can exploit insufficient allowlist enforcement to cause resource or billing consumption by...

6.9CVSS5.8AI score0.00297EPSS
Exploits0References4
Github Security Blog
Github Security Blog
added 2026/04/17 9:55 p.m.8 views

OpenClaw: Empty approver lists could grant explicit approval authorization

Summary Empty approver lists could grant explicit approval authorization. Affected Packages / Versions - Package: openclaw - Ecosystem: npm - Affected versions: = 2026.4.12 Impact For helper-backed channels, an empty resolved approver list could be interpreted as explicit approval authorization,...

6.5CVSS5.7AI score0.00244EPSS
Exploits0References6Affected Software1
EUVD
EUVD
added 2026/04/10 4:3 p.m.5 views

EUVD-2026-21454

OpenClaw before 2026.3.25 contains an authorization bypass vulnerability in Microsoft Teams feedback invokes that allows unauthorized senders to record session feedback. Attackers can bypass sender allowlist checks via feedback invoke endpoints to trigger unauthorized feedback recording or...

6.9CVSS5.8AI score0.00227EPSS
Exploits0References3
CNVD
CNVD
added 2026/04/10 12:0 a.m.6 views

OpenClaw has an unspecified vulnerability (CNVD-2026-17895)

OpenClaw is an intelligent artificial assistant open-sourced by OpenClaw. OpenClaw has a security vulnerability that can be exploited by attackers to cause network acquisition and disk writes to be forced by unauthorized senders...

6.9CVSS5.3AI score0.00355EPSS
Exploits0
CNVD
CNVD
added 2026/04/10 12:0 a.m.8 views

OpenClaw has an unspecified vulnerability (CNVD-2026-17897)

OpenClaw is an intelligent artificial assistant open-sourced by OpenClaw. OpenClaw has a security vulnerability that can be exploited by attackers to cause unauthorized senders to bypass authorization checks...

4.3CVSS5.3AI score0.00267EPSS
Exploits0
OSV
OSV
added 2026/04/03 3:15 a.m.3 views

GHSA-M6FX-M8HC-572M OpenClaw: Telegram audio preflight transcription enables resource consumption by unauthorized senders

Summary Telegram audio preflight transcription enables resource consumption by unauthorized senders Current Maintainer Triage - Status: narrow - Normalized severity: medium - Assessment: v2026.3.28 still lets unauthorized Telegram group senders trigger audio preflight before allowlist enforcement...

6.9CVSS5.9AI score0.00297EPSS
Exploits0References6
Snyk
Snyk
added 2026/04/03 3:15 a.m.3 views

Allocation of Resources Without Limits or Throttling

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in the preflight process for Telegram audio transcription. An attacker can cause excessive resource or billing consumption by triggeri...

6.9CVSS5.9AI score0.00297EPSS
Exploits0References2
Github Security Blog
Github Security Blog
added 2026/04/03 3:15 a.m.11 views

OpenClaw: Telegram audio preflight transcription enables resource consumption by unauthorized senders

Summary Telegram audio preflight transcription enables resource consumption by unauthorized senders Current Maintainer Triage - Status: narrow - Normalized severity: medium - Assessment: v2026.3.28 still lets unauthorized Telegram group senders trigger audio preflight before allowlist enforcement...

6.9CVSS5.8AI score0.00297EPSS
Exploits0References6Affected Software1
Snyk
Snyk
added 2026/04/02 8:59 p.m.4 views

Incorrect Authorization

Overview @openclaw/feishu is an OpenClaw Feishu/Lark channel plugin community maintained by @m1heng Affected versions of this package are vulnerable to Incorrect Authorization in the process that fetches quoted, root, or thread context messages, which bypasses the sender allowlist. An attacker ca...

5.3CVSS5.8AI score
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2026/03/31 2:10 p.m.10 views

CVE-2026-33576

OpenClaw before 2026.3.28 downloads and stores inbound media from Zalo channels before validating sender authorization. Unauthorized senders can force network fetches and disk writes to the media store by sending messages that are subsequently rejected...

6.9CVSS5.9AI score0.00355EPSS
Exploits0References4
NVD
NVD
added 2026/03/31 12:16 p.m.2 views

CVE-2026-34509

Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority...

0.00025EPSS
Exploits0
Vulnrichment
Vulnrichment
added 2026/03/31 11:17 a.m.5 views

CVE-2026-34509 OpenClaw < 2026.3.8 - Sender Allowlist Bypass in Microsoft Teams Plugin via Route Allowlist Configuration

OpenClaw before 2026.3.8 contains a sender allowlist bypass vulnerability in its Microsoft Teams plugin that allows unauthorized senders to bypass intended authorization checks. When a team/channel route allowlist is configured with an empty groupAllowFrom parameter, the message handler synthesiz...

4.3CVSS5.9AI score0.00025EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/03/31 11:17 a.m.27 views

CVE-2026-34509

...

0.00025EPSS
Exploits0
CVE
CVE
added 2026/03/31 11:17 a.m.14 views

CVE-2026-34506

CVE-2026-34506 concerns the OpenClaw Microsoft Teams plugin. In versions prior to 2026.3.8, a sender allowlist bypass exists when a team/channel route allowlist is configured with an empty groupAllowFrom parameter. The message handler synthesizes wildcard sender authorization, allowing any sender...

4.3CVSS5.9AI score0.00267EPSS
Exploits0References3Affected Software1
CNNVD
CNNVD
added 2026/03/31 12:0 a.m.17 views

OpenClaw 安全漏洞

OpenClaw is an intelligent artificial assistant open-sourced by OpenClaw. OpenClaw has a security vulnerability that can be exploited by attackers to cause network acquisition and disk writes to be forced by unauthorized senders...

6.9CVSS5.8AI score0.00355EPSS
Exploits0References3
RedhatCVE
RedhatCVE
added 2026/03/26 3:10 p.m.3 views

CVE-2026-32050

OpenClaw versions prior to 2026.2.25 contain an access control vulnerability in signal reaction notification handling that allows unauthorized senders to enqueue status events before authorization checks are applied. Attackers can exploit the reaction-only event path in event-handler.ts to queue...

6.3CVSS5.8AI score0.0021EPSS
Exploits0References1
Github Security Blog
Github Security Blog
added 2026/03/21 3:31 a.m.9 views

Duplicate Advisory: OpenClaw's Signal reaction-only status events could, in limited cases, be enqueued before access checks

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-792q-qw95-f446. This link is maintained to preserve external references. Original Description OpenClaw versions prior to 2026.2.25 contain an access control vulnerability in signal reaction notification handling...

6.3CVSS5.7AI score0.0021EPSS
Exploits0References5Affected Software1
Cvelist
Cvelist
added 2026/03/21 12:42 a.m.32 views

CVE-2026-32895 OpenClaw < 2026.2.26 - Sender Authorization Bypass in Slack System Event Handlers

OpenClaw versions prior to 2026.2.26 fail to enforce sender authorization in member and message subtype system event handlers, allowing unauthorized events to be enqueued. Attackers can bypass Slack DM allowlists and per-channel user allowlists by sending system events from non-allowlisted sender...

5.4CVSS0.0018EPSS
Exploits0References3
Rows per page
Query Builder