Lucene search
K

6 matches found

RedhatCVE
RedhatCVE
added 2026/06/05 7:34 p.m.16 views

CVE-2026-9084

MISP’s OIDC authentication plugin allowed automatic linking of an OIDC identity to an existing local user account based on the email claim when the local account had no stored sub value. Under insecure or untrusted IdP configurations where email ownership is not enforced, an attacker with a valid...

6CVSS5.5AI score0.00182EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/05/20 2:22 p.m.10 views

CVE-2026-9084

MISP’s OIDC authentication plugin allowed automatic linking of an OIDC identity to an existing local user account based on the email claim when the local account had no stored sub value. Under insecure or untrusted IdP configurations where email ownership is not enforced, an attacker with a valid...

6CVSS5.8AI score0.00182EPSS
Exploits0References2Affected Software1
RedhatCVE
RedhatCVE
added 2026/03/26 3:2 p.m.3 views

CVE-2026-32231

ZeptoClaw is a personal AI assistant. Prior to 0.7.6, the generic webhook channel trusts caller-supplied identity fields sender, chatid from the request body and applies authorization checks to those untrusted values. Because authentication is optional and defaults to disabled authtoken: None, an...

8.2CVSS6AI score0.00184EPSS
Exploits1References1
Vulnrichment
Vulnrichment
added 2026/03/12 6:22 p.m.3 views

CVE-2026-32231 ZeptoClaw: Generic webhook channel trusts caller-supplied identity fields; allowlist is checked against untrusted payload data

ZeptoClaw is a personal AI assistant. Prior to 0.7.6, the generic webhook channel trusts caller-supplied identity fields sender, chatid from the request body and applies authorization checks to those untrusted values. Because authentication is optional and defaults to disabled authtoken: None, an...

8.2CVSS5.9AI score0.00184EPSS
Exploits1References4
OSV
OSV
added 2026/03/12 4:36 p.m.5 views

GHSA-46Q5-G3J9-WX5C ZeptoClaw: Generic webhook channel trusts caller-supplied identity fields; allowlist is checked against untrusted payload data

Summary The generic webhook channel trusts caller-supplied identity fields sender, chatid from the request body and applies authorization checks to those untrusted values. Because authentication is optional and defaults to disabled authtoken: None, an attacker who can reach POST /webhook can spoo...

8.2CVSS6AI score0.00184EPSS
Exploits1References6
Cvelist
Cvelist
added 2026/02/21 9:21 a.m.31 views

CVE-2026-27484 OpenClaw Discord moderation authorization used untrusted sender identity in tool-driven flows

OpenClaw is a personal AI assistant. In versions 2026.2.17 and below, the Discord moderation action handling timeout, kick, ban uses sender identity from request parameters in tool-driven flows, instead of trusted runtime sender context. In setups where Discord moderation actions are enabled and...

2.3CVSS0.0019EPSS
Exploits0References3
Rows per page
Query Builder