Lucene search
K

10 matches found

CNNVD
CNNVD
added 2026/04/28 12:0 a.m.7 views

OpenClaw 安全漏洞

OpenClaw is an open-source intelligent artificial assistant developed by OpenClaw. Versions of OpenClaw prior to 2026.4.8 contained security vulnerabilities. These vulnerabilities stemmed from a role bypass in the device.token.rotate function, which could allow attackers to bypass device role...

8.8CVSS5.8AI score0.00282EPSS
Exploits0References1
OSV
OSV
added 2026/04/16 11:36 p.m.8 views

BIT-AUTHENTIK-2024-38371 Insufficient access control for OAuth2 Device Code flow in authentik

authentik is an open-source Identity Provider. Access restrictions assigned to an application were not checked when using the OAuth2 Device code flow. This could potentially allow users without the correct authorization to get OAuth tokens for an application and access it. This issue has been...

9.8CVSS5.7AI score0.00585EPSS
Exploits0References5
Snyk
Snyk
added 2026/03/09 5:24 p.m.2 views

Incorrect Authorization

Overview Affected versions of this package are vulnerable to Incorrect Authorization in the OIDC token exchange process. An attacker can obtain tokens for unauthorized clients or reuse expired authorization codes by submitting a valid authorization code with a different client ID or by using an...

8.5CVSS5.8AI score0.00257EPSS
Exploits1References2
Snyk
Snyk
added 2026/01/23 4:50 p.m.2 views

Access Control Bypass

Overview Affected versions of this package are vulnerable to Access Control Bypass via the AccessTokenScopeCheck function. An attacker can obtain unauthorized access tokens with arbitrary scopes by supplying a specially crafted targetNF value. Remediation Upgrade...

9.1CVSS6AI score0.00307EPSS
Exploits1References2
Cvelist
Cvelist
added 2026/01/21 6:13 a.m.19 views

CVE-2025-14559 Org.keycloak/keycloak-services: keycloak keycloak-services: business logic flaw allows unauthorized token issuance for disabled users

A flaw was found in the keycloak-services component of Keycloak. This vulnerability allows the issuance of access and refresh tokens for disabled users, leading to unauthorized use of previously revoked privileges, via a business logic vulnerability in the Token Exchange implementation when a...

6.5CVSS0.00443EPSS
Exploits0References4
Vulnrichment
Vulnrichment
added 2026/01/21 6:13 a.m.4 views

CVE-2025-14559 Org.keycloak/keycloak-services: keycloak keycloak-services: business logic flaw allows unauthorized token issuance for disabled users

A flaw was found in the keycloak-services component of Keycloak. This vulnerability allows the issuance of access and refresh tokens for disabled users, leading to unauthorized use of previously revoked privileges, via a business logic vulnerability in the Token Exchange implementation when a...

6.5CVSS5.4AI score0.00443EPSS
Exploits0References4
CVE
CVE
added 2026/01/21 6:13 a.m.15 views

CVE-2025-14559

CVE-2025-14559 affects Keycloak’s keycloak-services component. A business-logic flaw in the Token Exchange flow allows a privileged client to issue access/refresh tokens for disabled users, potentially bypassing revoked privileges. Affected products/versions are echoed in connected Nessus entries...

6.5CVSS5.4AI score0.00443EPSS
Exploits0References4
OSV
OSV
added 2024/06/28 5:58 p.m.6 views

CVE-2024-38371 Insufficient access control for OAuth2 Device Code flow in authentik

authentik is an open-source Identity Provider. Access restrictions assigned to an application were not checked when using the OAuth2 Device code flow. This could potentially allow users without the correct authorization to get OAuth tokens for an application and access it. This issue has been...

8.6CVSS7AI score0.00585EPSS
Exploits0References6
Veracode
Veracode
added 2022/06/14 3:32 a.m.18 views

Insecure Cryptographic Function

Biscuit has insecure cryptographic function. The vulnerability exists due to the use a signature algorithm which allows an attacker to forge Γ-signatures and create token with any access level to bypass authentication and authorization...

9.8CVSS9.1AI score0.0096EPSS
Exploits1References3Affected Software2
OSV
OSV
added 2020/05/04 2:15 p.m.5 views

CVE-2020-8791

The OKLOK 3.1.1 mobile companion app for Fingerprint Bluetooth Padlock FB50 2.3 allows remote attackers to submit API requests using authenticated but unauthorized tokens, resulting in IDOR issues. A remote attacker can use their own token to make unauthorized API requests on behalf of arbitrary...

6.5CVSS6.8AI score0.01022EPSS
Exploits1References1
Rows per page
Query Builder