10 matches found
OpenClaw 安全漏洞
OpenClaw is an open-source intelligent artificial assistant developed by OpenClaw. Versions of OpenClaw prior to 2026.4.8 contained security vulnerabilities. These vulnerabilities stemmed from a role bypass in the device.token.rotate function, which could allow attackers to bypass device role...
BIT-AUTHENTIK-2024-38371 Insufficient access control for OAuth2 Device Code flow in authentik
authentik is an open-source Identity Provider. Access restrictions assigned to an application were not checked when using the OAuth2 Device code flow. This could potentially allow users without the correct authorization to get OAuth tokens for an application and access it. This issue has been...
Incorrect Authorization
Overview Affected versions of this package are vulnerable to Incorrect Authorization in the OIDC token exchange process. An attacker can obtain tokens for unauthorized clients or reuse expired authorization codes by submitting a valid authorization code with a different client ID or by using an...
Access Control Bypass
Overview Affected versions of this package are vulnerable to Access Control Bypass via the AccessTokenScopeCheck function. An attacker can obtain unauthorized access tokens with arbitrary scopes by supplying a specially crafted targetNF value. Remediation Upgrade...
CVE-2025-14559 Org.keycloak/keycloak-services: keycloak keycloak-services: business logic flaw allows unauthorized token issuance for disabled users
A flaw was found in the keycloak-services component of Keycloak. This vulnerability allows the issuance of access and refresh tokens for disabled users, leading to unauthorized use of previously revoked privileges, via a business logic vulnerability in the Token Exchange implementation when a...
CVE-2025-14559 Org.keycloak/keycloak-services: keycloak keycloak-services: business logic flaw allows unauthorized token issuance for disabled users
A flaw was found in the keycloak-services component of Keycloak. This vulnerability allows the issuance of access and refresh tokens for disabled users, leading to unauthorized use of previously revoked privileges, via a business logic vulnerability in the Token Exchange implementation when a...
CVE-2025-14559
CVE-2025-14559 affects Keycloak’s keycloak-services component. A business-logic flaw in the Token Exchange flow allows a privileged client to issue access/refresh tokens for disabled users, potentially bypassing revoked privileges. Affected products/versions are echoed in connected Nessus entries...
CVE-2024-38371 Insufficient access control for OAuth2 Device Code flow in authentik
authentik is an open-source Identity Provider. Access restrictions assigned to an application were not checked when using the OAuth2 Device code flow. This could potentially allow users without the correct authorization to get OAuth tokens for an application and access it. This issue has been...
Insecure Cryptographic Function
Biscuit has insecure cryptographic function. The vulnerability exists due to the use a signature algorithm which allows an attacker to forge Γ-signatures and create token with any access level to bypass authentication and authorization...
CVE-2020-8791
The OKLOK 3.1.1 mobile companion app for Fingerprint Bluetooth Padlock FB50 2.3 allows remote attackers to submit API requests using authenticated but unauthorized tokens, resulting in IDOR issues. A remote attacker can use their own token to make unauthorized API requests on behalf of arbitrary...