40 matches found
Improper Verification of Cryptographic Signature
Overview Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature in the authentication for Google OIDC tokens in the GCR Receiver webhook endpoint. An attacker can trigger unauthorized reconciliation of resources by presenting any valid Google-issued...
CVE-2026-34590
Postiz is an AI social media scheduling tool. Prior to version 2.21.4, the POST /webhooks/ endpoint for creating webhooks uses WebhooksDto which validates the url field with only @IsUrl format check, missing the @IsSafeWebhookUrl validator that blocks internal/private network addresses. The updat...
Replay Attack
Overview @openclaw/voice-call is an OpenClaw voice-call plugin Affected versions of this package are vulnerable to Replay Attack in the webhook-security.ts process. An attacker can bypass replay protection by capturing a valid signed webhook and resending it with reordered query parameters, there...
Replay Attack
Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Replay Attack in the webhook-security.ts process. An attacker can bypass replay protection by capturing a valid signed webhook and resending it with reordered query parameters, thereby...
OpenClaw: Voice-call Plivo V3 webhook replay key uses unsorted URL, allowing replay via query-parameter reordering
Summary Plivo V3 signature verification canonicalized query ordering, but replay detection hashed the raw verification URL. Reordering query parameters preserved a valid signature while producing a fresh replay-cache key. Impact An attacker who captured one valid signed Plivo V3 webhook could...
Replay Attack
Overview @openclaw/voice-call is an OpenClaw voice-call plugin Affected versions of this package are vulnerable to Replay Attack due to improper derivation of the replay key in the webhook-security.ts process. An attacker can bypass replay protection and submit multiple authenticated requests by...
OpenClaw: Plivo V2 verified replay identity drifts on query-only variants
Summary Before v2026.3.23, the Plivo V2 verification path treated query-only variants of the same signed request as fresh verified work. Plivo V2 signatures authenticate baseUrl + nonce, but the replay key was derived from the full verification URL including the query string, so unsigned query-on...
GHSA-CG6C-Q2HX-69H7 OpenClaw: Plivo V2 verified replay identity drifts on query-only variants
Summary Before v2026.3.23, the Plivo V2 verification path treated query-only variants of the same signed request as fresh verified work. Plivo V2 signatures authenticate baseUrl + nonce, but the replay key was derived from the full verification URL including the query string, so unsigned query-on...
GHSA-G5PH-F57V-MWJC OneUptime WhatsApp Webhook Missing Signature Verification
Summary The WhatsApp POST webhook handler /notification/whatsapp/webhook processes incoming status update events without verifying the Meta/WhatsApp X-Hub-Signature-256 HMAC signature, allowing any unauthenticated attacker to send forged webhook payloads that manipulate notification delivery stat...
OpenClaw: Feishu webhook mode accepted forged events when only `verificationToken` was configured
Summary Feishu webhook mode allowed deployments that configured only verificationToken without encryptKey. In that state, forged inbound events could be accepted because the weaker configuration did not provide the required cryptographic verification boundary. Impact An unauthenticated network...
BIT-DISCOURSE-2026-26077 Discourse doesn't ensure webhooks require a token
Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, several webhook endpoints SendGrid, Mailjet, Mandrill, Postmark, SparkPost in the WebhooksController accepted requests without a valid authentication token when no token was configured. This...
CVE-2026-24736
Squidex is an open source headless content management system and content management hub. Versions of the application up to and including 7.21.0 allow users to define "Webhooks" as actions within the Rules engine. The url parameter in the webhook configuration does not appear to validate or restri...
CVE-2026-24736
Squidex is an open source headless content management system and content management hub. Versions of the application up to and including 7.21.0 allow users to define "Webhooks" as actions within the Rules engine. The url parameter in the webhook configuration does not appear to validate or restri...
PT-2026-2559
n8n is an open source workflow automation platform. From 1.36.0 to before 2.2.0, the Webhook node’s IP whitelist validation performed partial string matching instead of exact IP comparison. As a result, an incoming request could be accepted if the source IP address merely contained the configured...
EUVD-2023-1677
Malicious code in bioql PyPI...
CVE-2023-2783
Mattermost Apps Framework fails to verify that a secret provided in the incoming webhook request allowing an attacker to modify the contents of the post sent by the Apps...
CVE-2023-41327
WireMock is a tool for mocking HTTP services. WireMock can be configured to only permit proxying and therefore recording to certain addresses. This is achieved via a list of allowed address rules and a list of denied address rules, where the allowed list is evaluated first. Until WireMock Webhook...
CVE-2022-39292
Slack Morphism is a modern client library for Slack Web/Events API/Socket Mode and Block Kit. Debug logs expose sensitive URLs for Slack webhooks that contain private information. The problem is fixed in version 1.3.2 which redacts sensitive URLs for webhooks. As a workaround, people who use Slac...
CVE-2022-4342
An issue has been discovered in GitLab CE/EE affecting all versions starting from 15.1 before 15.5.7, all versions starting from 15.6 before 15.6.4, all versions starting from 15.7 before 15.7.2. A malicious Maintainer can leak masked webhook secrets by changing target URL of the webhook...
GHSA-MXCC-7H5M-X57R Jenkins GitHub plugin uses weak webhook signature function
Jenkins GitHub Plugin 1.34.4 and earlier uses a non-constant time comparison function when checking whether the provided and computed webhook signatures are equal, allowing attackers to use statistical methods to obtain a valid webhook signature. GitHub Plugin 1.34.5 uses a constant-time comparis...