Lucene search
K
GithubRecent

33190 matches found

Github Security Blog
Github Security Blog
added 2026/03/23 6:30 a.m.10 views

jsrsasign: Division by Zero Allows Invalid JWK Modulus to Cause Deterministic Zero Output in RSA Operations

Versions of the package jsrsasign before 11.1.1 are vulnerable to Division by zero due to the RSASetPublic/KEYUTIL parsing path in ext/rsa.js and the BigInteger.modPowInt reduction logic in ext/jsbn.js. An attacker can force RSA public-key operations e.g., verify and encryption to collapse to...

5.9CVSS5.9AI score0.001EPSS
Exploits1References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/23 6:30 a.m.12 views

jsrsasign: DSA signatures or X.509 certificates can be forged via DSA domain-parameter validation in KJUR.crypto.DSA.setPublic

Versions of the package jsrsasign before 11.1.1 are vulnerable to Improper Verification of Cryptographic Signature via the DSA domain-parameter validation in KJUR.crypto.DSA.setPublic and the related DSA/X509 verification flow in src/dsa-2.0.js. An attacker can forge DSA signatures or X.509...

9.1CVSS5.9AI score0.00225EPSS
Exploits1References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/23 6:30 a.m.9 views

jsrsasign: Negative Exponent Handling Leads to Signature Verification Bypass

Versions of the package jsrsasign before 11.1.1 are vulnerable to Incorrect Conversion between Numeric Types due to handling negative exponents in ext/jsbn2.js. An attacker can force the computation of incorrect modular inverses and break signature verification by calling modPow with a negative...

8.7CVSS5.9AI score0.00496EPSS
Exploits1References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/23 6:30 a.m.9 views

jsrsasign is vulnerable to DoS through Infinite Loop when processing zero or negative inputs

Versions of the package jsrsasign before 11.1.1 are vulnerable to Infinite loop via the bnModInverse function in ext/jsbn2.js when the BigInteger.modInverse implementation receives zero or negative inputs, allowing an attacker to hang the process permanently by supplying such crafted values e.g.,...

8.7CVSS5.9AI score0.00554EPSS
Exploits1References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/23 6:30 a.m.4 views

jsrsasign: Missing cryptographic validation during DSA signing enables private key extraction

Versions of the package jsrsasign before 11.1.1 are vulnerable to Missing Cryptographic Step via the KJUR.crypto.DSA.signWithMessageHash process in the DSA signing implementation. An attacker can recover the private key by forcing r or s to be zero, so the library emits an invalid signature witho...

9.4CVSS5.9AI score0.003EPSS
Exploits1References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/22 6:30 a.m.10 views

Pygments has Regular Expression Denial of Service (ReDoS) due to Inefficient Regex for GUID Matching

A security flaw has been discovered in pygments before 2.20.0. The impacted element is the function AdlLexer of the file pygments/lexers/archetype.py. The manipulation results in inefficient regular expression complexity. The attack is only possible with local access. The exploit has been release...

4.8CVSS5.4AI score0.00156EPSS
Exploits0References10Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/22 3:30 a.m.5 views

Free5GC AMF is vulnerable to DoS through its HandleRegistrationComplete function

A weakness has been identified in Free5GC 4.1.0. Affected is the function HandleRegistrationComplete of the file internal/gmm/handler.go of the component AMF. Executing a manipulation can lead to denial of service. The attack may be performed from remote. This patch is called...

6.9CVSS5.7AI score0.00427EPSS
Exploits0References8Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/21 3:31 a.m.10 views

Duplicate Advisory: OpenClaw: BlueBubbles beta plugin webhook auth hardening (remove passwordless fallback)

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-5mx2-2mgw-x8rm. This link is maintained to preserve external references. Original Description OpenClaw versions prior to 2026.2.21 BlueBubbles webhook handler contains a passwordless fallback authentication path...

6.5CVSS5.7AI score0.00249EPSS
Exploits0References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/21 3:31 a.m.9 views

Duplicate Advisory: OpenClaw ACP client has permission auto-approval bypass via untrusted tool metadata

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-7jx5-9fjg-hp4m. This link is maintained to preserve external references. Original Description OpenClaw versions prior to 2026.2.23 contain an authorization bypass vulnerability in the ACP client that auto-approv...

5.4CVSS5.7AI score0.00257EPSS
Exploits0References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/21 3:31 a.m.7 views

Duplicate Advisory: OpenClaw's Slack reaction/pin sender-policy consistency issue in non-message ingress

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-rm2p-j3r7-4x4j. This link is maintained to preserve external references. Original Description OpenClaw versions prior to 2026.2.25 fail to consistently apply sender-policy checks to reaction and pin non-message...

5.3CVSS5.7AI score0.00204EPSS
Exploits0References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/21 3:31 a.m.6 views

Duplicate Advisory: OpenClaw reuses the gateway auth token in the owner ID prompt hashing fallback

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-v6x2-2qvm-6gv8. This link is maintained to preserve external references. Original Description OpenClaw versions prior to 2026.2.22 reuse gateway.auth.token as a fallback hash secret for owner-ID prompt obfuscati...

6.3CVSS5.7AI score0.00262EPSS
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/21 3:31 a.m.9 views

Duplicate Advisory: OpenClaw has a Trusted-proxy Control UI pairing bypass which allows unpaired node sessions

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-vvgp-4c28-m3jm. This link is maintained to preserve external references. Original Description OpenClaw versions prior to 2026.2.25 contain an authentication bypass vulnerability in the trusted-proxy Control UI...

8.1CVSS5.9AI score0.00335EPSS
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/21 3:31 a.m.7 views

Duplicate Advisory: OpenClaw has browser trace/download path symlink escape in temp output handling

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-36h3-7c54-j27r. This link is maintained to preserve external references. Original Description OpenClaw versions prior to 2026.2.25 contain a symlink traversal vulnerability in browser trace and download output...

7.8CVSS5.9AI score0.00126EPSS
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/21 3:31 a.m.11 views

Duplicate Advisory: OpenClaw's voice-call Twilio webhook replay could bypass manager dedupe because normalized event IDs were randomized per parse

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-vqx8-9xxw-f2m7. This link is maintained to preserve external references. Original Description OpenClaw versions prior to 2026.2.23 contain a vulnerability in Twilio webhook event deduplication where normalized...

6.9CVSS5.7AI score0.00337EPSS
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/21 3:31 a.m.8 views

Duplicate Advisory: OpenClaw: system.run approval identity mismatch could execute a different binary than displayed

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-hwpq-rrpf-pgcq. This link is maintained to preserve external references. Original Description OpenClaw versions prior to 2026.2.25 contain an approval-integrity bypass vulnerability in system.run where rendered...

6.5CVSS6AI score0.0029EPSS
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/21 3:31 a.m.7 views

Duplicate Advisory: OpenClaw Node system.run approval context-binding weakness in approval-enabled host=node flows

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-hjvp-qhm6-wrh2. This link is maintained to preserve external references. Original Description OpenClaw versions prior to 2026.2.26 contain an approval context-binding weakness in system.run execution flows with...

6.5CVSS5.9AI score0.00191EPSS
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/21 3:31 a.m.5 views

Duplicate Advisory: OpenClaw's shell startup env injection bypasses system.run allowlist intent (RCE class)

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-xgf2-vxv2-rrmg. This link is maintained to preserve external references. Original Description OpenClaw versions prior to 2026.2.22 fail to sanitize shell startup environment variables HOME and ZDOTDIR in the...

9.8CVSS6.4AI score0.00559EPSS
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/21 3:31 a.m.10 views

Duplicate Advisory: OpenClaw: Slack system events bypass sender authorization in member and message subtype handlers

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-v8cg-4474-49v8. This link is maintained to preserve external references. Original Description OpenClaw versions prior to 2026.2.26 fail to enforce sender authorization in member and message subtype system event...

5.4CVSS5.7AI score0.0018EPSS
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/21 3:31 a.m.8 views

Duplicate Advisory: OpenClaw has cross-account DM pairing authorization bypass via unscoped pairing store access

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-vjp8-wprm-2jw9. This link is maintained to preserve external references. Original Description OpenClaw versions prior to 2026.2.26 contains an authorization bypass vulnerability in the pairing-store access contr...

8.1CVSS5.7AI score0.00165EPSS
Exploits0References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/21 3:31 a.m.5 views

Duplicate Advisory: OpenClaw's andbox browser noVNC observer lacked VNC authentication

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-25gx-x37c-7pph. This link is maintained to preserve external references. Original Description OpenClaw versions prior to 2026.2.21 sandbox browser entrypoint launches x11vnc without authentication for noVNC...

9.1CVSS5.8AI score0.00514EPSS
Exploits0References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/21 3:31 a.m.5 views

Duplicate Advisory: OpenClaw: workspace path guard bypass on non-existent out-of-root symlink leaf

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-mgrq-9f93-wpp5. This link is maintained to preserve external references. Original Description OpenClaw versions prior to 2026.2.26 contain a path traversal vulnerability in workspace boundary validation that...

8.2CVSS5.9AI score0.00322EPSS
Exploits0References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/21 3:31 a.m.8 views

Duplicate Advisory: OpenClaw's gateway tokenless Tailscale auth applied to HTTP routes

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-hff7-ccv5-52f8. This link is maintained to preserve external references. Original Description OpenClaw versions prior to 2026.2.21 incorrectly apply tokenless Tailscale header authentication to HTTP gateway...

9.1CVSS5.7AI score0.00401EPSS
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/21 3:31 a.m.6 views

Duplicate Advisory: OpenClaw's system.run approval TOCTOU via mutable symlink cwd target on node host

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-mwcg-wfq3-4gjc. This link is maintained to preserve external references. Original Description OpenClaw versions prior to 2026.2.25 contain a time-of-check-time-of-use vulnerability in approval-bound system.run...

7CVSS6.2AI score0.00099EPSS
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/21 3:31 a.m.10 views

Duplicate Advisory: OpenClaw's system.run shell-wrapper positional argv carriers could execute hidden commands under misleading approval text

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-6rcp-vxwf-3mfp. This link is maintained to preserve external references. Original Description OpenClaw versions prior to 2026.2.24 contain a command injection vulnerability in the system.run shell-wrapper that...

9.8CVSS6AI score0.00911EPSS
Exploits0References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/21 3:31 a.m.9 views

Duplicate Advisory: OpenClaw has an improper sandbox configuration vulnerability

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-43x4-g22p-3hrq. This link is maintained to preserve external references. Original Description OpenClaw versions prior to 2026.2.21 contain an improper sandbox configuration vulnerability that allows attackers to...

9.8CVSS6.5AI score0.00288EPSS
Exploits0References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/21 3:31 a.m.8 views

Duplicate Advisory: OpenClaw's Signal reaction-only status events could, in limited cases, be enqueued before access checks

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-792q-qw95-f446. This link is maintained to preserve external references. Original Description OpenClaw versions prior to 2026.2.25 contain an access control vulnerability in signal reaction notification handling...

6.3CVSS5.7AI score0.0021EPSS
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/21 3:31 a.m.7 views

Duplicate Advisory: OpenClaw's inbound media downloads could exceed configured byte limits before rejection across multiple channels

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-rxxp-482v-7mrh. This link is maintained to preserve external references. Original Description OpenClaw versions prior to 2026.2.22 fail to consistently enforce configured inbound media byte limits before bufferi...

8.7CVSS5.8AI score0.00543EPSS
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/21 3:31 a.m.7 views

Duplicate Advisory: OpenClaw's sandboxed sessions_spawn now enforces sandbox inheritance for cross-agent spawns

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-p7gr-f84w-hqg5. This link is maintained to preserve external references. Original Description OpenClaw versions prior to 2026.3.1 fail to enforce sandbox inheritance during cross-agent sessionsspawn operations,...

9.9CVSS5.8AI score0.00281EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/21 12:31 a.m.5 views

NFS CSI driver for Kubernetes is Vulnerable to Path Traversal through Volume Identifier Parameter

A vulnerability was discovered in the Kubernetes CSI Driver for NFS where the subDir parameter in volume identifiers was insufficiently validated. Attackers with the ability to create PersistentVolumes referencing the NFS CSI driver could craft volume identifiers containing path traversal sequenc...

6.5CVSS6AI score0.00539EPSS
Exploits0References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/21 12:31 a.m.9 views

MindSQL is vulnerable to Code Injection through its ask_db function

A vulnerability was found in Mindinventory MindSQL up to 0.2.1. Impacted is the function askdb of the file mindsql/core/mindsqlcore.py. Performing a manipulation results in code injection. The attack can be initiated remotely. The exploit has been made public and could be used. The vendor was...

6.5CVSS5.5AI score0.00228EPSS
Exploits0References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/20 9:55 p.m.10 views

AVideo has an Unauthenticated Local File Inclusion in API locale (RCE possible with writable PHP)

Summary An unauthenticated API endpoint APIName=locale concatenates user input into an include path with no canonicalization or whitelist. Path traversal is accepted, so arbitrary PHP files under the web root can be included. In our test this yielded confirmed file disclosure and code execution o...

8.6CVSS6.5AI score0.0074EPSS
Exploits1References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/20 9:55 p.m.6 views

AVideo has an unauthenticated decrypt oracle leaking any ciphertext

Summary The API plugin exposes a decryptString action without any authentication. Anyone can submit ciphertext and receive plaintext. Ciphertext is issued publicly e.g., view/url2Embed.json.php, so any user can recover protected tokens/metadata. Severity: High. Details - Entry:...

7.5CVSS5.8AI score0.00234EPSS
Exploits1References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/20 9:51 p.m.7 views

webpki: CRLs not considered authoritative by Distribution Point due to faulty matching logic

If a certificate had more than one distributionPoint, then only the first distributionPoint would be considered against each CRL's IssuingDistributionPoint distributionPoint, and then the certificate's subsequent distributionPoints would be ignored. The impact was that correct provided CRLs would...

5.8AI score
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/20 9:50 p.m.6 views

pyLoad SETTINGS Permission Users Can Achieve Remote Code Execution via Unrestricted Reconnect Script Configuration

Summary The setconfigvalue API endpoint allows users with the non-admin SETTINGS permission to modify any configuration option without restriction. The reconnect.script config option controls a file path that is passed directly to subprocess.run in the thread manager's reconnect logic. A SETTINGS...

8.8CVSS6.7AI score0.00529EPSS
Exploits1References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/20 9:48 p.m.7 views

Parse Server LiveQuery subscription query depth bypass

Impact Parse Server's LiveQuery component does not enforce the requestComplexity.queryDepth configuration setting when processing WebSocket subscription requests. An attacker can send a subscription with deeply nested logical operators, causing excessive recursion and CPU consumption that degrade...

8.2CVSS5.8AI score0.00345EPSS
Exploits0References7Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/20 9:47 p.m.8 views

AVideo Affected by CSRF on Plugin Import Endpoint Enables Unauthenticated Remote Code Execution via Malicious Plugin Upload

Summary The objects/pluginImport.json.php endpoint allows admin users to upload and install plugin ZIP files containing executable PHP code, but lacks any CSRF protection. Combined with the application explicitly setting session.cookiesamesite = 'None' for HTTPS connections, an unauthenticated...

8.8CVSS6.2AI score0.00367EPSS
Exploits1References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/20 9:47 p.m.6 views

Zen-AI-Pentest has Shell Injection via untrusted issue title in ZenClaw Discord Integration workflow

Summary The ZenClaw Discord Integration GitHub Actions workflow is vulnerable to shell command injection. The issue title field, controllable by any GitHub user, is interpolated directly into a run shell block via a GitHub Actions template expression. An attacker can craft an issue title containi...

6.1AI score
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/20 9:31 p.m.9 views

DreamFactory has a directory traversal

An issue in the component /Controllers/RestController.php of DreamFactory Core v1.0.3 allows attackers to execute a directory traversal via an unsanitized URI path...

7.2CVSS5.8AI score0.00865EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/20 8:57 p.m.7 views

AVideo has Unauthenticated SSRF via plugin/Live/test.php

Summary An unauthenticated server-side request forgery vulnerability in plugin/Live/test.php allows any remote user to make the AVideo server send HTTP requests to arbitrary URLs. This can be used to probe localhost/internal services and, when reachable, access internal HTTP resources or cloud...

9.3CVSS6.5AI score0.00442EPSS
Exploits1References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/20 8:57 p.m.7 views

AVideo has Unauthenticated Information Disclosure of User Group Permission Mappings via Permissions Plugin

Summary The endpoint plugin/Permissions/View/Usersgroupspermissions/list.json.php lacks any authentication or authorization check, allowing unauthenticated users to retrieve the complete permission matrix mapping user groups to plugins. All sibling endpoints in the same directory add.json.php,...

5.3CVSS5.9AI score0.0043EPSS
Exploits1References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/20 8:56 p.m.9 views

AVideo - Incomplete Fix for CVE-2026-27568: Stored XSS via Markdown `javascript:` URI Bypasses ParsedownSafeWithLinks Sanitization

Summary The fix for CVE-2026-27568 GHSA-rcqw-6466-3mv7 introduced a custom ParsedownSafeWithLinks class that sanitizes raw HTML and tags in comments, but explicitly disables Parsedown's safeMode. This creates a bypass: markdown link syntax text is processed by Parsedown's inlineLink method, which...

6.1CVSS5.9AI score0.00229EPSS
Exploits1References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/20 8:56 p.m.9 views

AVideo has Reflected XSS via unlockPassword Parameter in forbiddenPage.php and warningPage.php

Summary The view/forbiddenPage.php and view/warningPage.php templates reflect the $REQUEST'unlockPassword' parameter directly into an HTML tag's attributes without any output encoding or sanitization. An attacker can craft a URL that breaks out of the value attribute and injects arbitrary HTML...

6.1CVSS5.9AI score0.00231EPSS
Exploits1References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/20 8:56 p.m.9 views

Parse Server has a query condition depth bypass via pre-validation transform pipeline

Impact An attacker can send an unauthenticated HTTP request with a deeply nested query containing logical operators to permanently hang the Parse Server process. The server becomes completely unresponsive and must be manually restarted. This is a bypass of the fix for CVE-2026-32944. Patches The...

8.7CVSS5.8AI score0.00452EPSS
Exploits0References7Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/20 8:56 p.m.7 views

langflow: /profile_pictures/{folder_name}/{file_name} endpoint file reading

Vulnerability Path Traversal in GET /api/v1/files/profilepictures/foldername/filename The downloadprofilepicture function in src/backend/base/langflow/api/v1/files.py constructed file paths by directly concatenating the user-supplied foldername and filename path parameters without sanitization or...

8.7CVSS6AI score0.07992EPSS
Exploits1References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/20 8:55 p.m.6 views

Ory Keto has a SQL injection via forged pagination tokens

Description The GetRelationships API in Ory Keto is vulnerable to SQL injection due to flaws in its pagination implementation. Pagination tokens are encrypted using the secret configured in secrets.pagination. An attacker who knows this secret can craft their own tokens, including malicious token...

7.2CVSS6.2AI score0.00229EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/20 8:55 p.m.8 views

Ory Hydra has a SQL injection via forged pagination tokens

Description Following Admin APIs in Ory Hydra are vulnerable to SQL injection due to flaws in its pagination implementation: - listOAuth2Clients - listOAuth2ConsentSessions - listTrustedOAuth2JwtGrantIssuers Pagination tokens are encrypted using the secret configured in secrets.pagination. If thi...

7.2CVSS6.2AI score0.00349EPSS
Exploits0References3Affected Software2
Github Security Blog
Github Security Blog
added 2026/03/20 8:54 p.m.12 views

Ory Kratos has a SQL injection via forged pagination tokens

Description The ListCourierMessages Admin API in Ory Kratos is vulnerable to SQL injection due to flaws in its pagination implementation. Pagination tokens are encrypted using the secret configured in secrets.pagination. An attacker who knows this secret can craft their own tokens, including...

7.2CVSS6.2AI score0.00252EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/20 8:51 p.m.22 views

Ory Oathkeeper has a path traversal authorization bypass

Description Ory Oathkeeper is vulnerable to an authorization bypass via HTTP path traversal. An attacker can craft a URL containing path traversal sequences e.g. /public/../admin/secrets that resolves to a protected path after normalization, but is matched against a permissive rule because the ra...

10CVSS5.8AI score0.00519EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/20 8:51 p.m.9 views

Ory Oathkeeper has an authentication bypass by cache key confusion

Description Ory Oathkeeper is vulnerable to authentication bypass due to cache key confusion. The oauth2introspection authenticator cache does not distinguish tokens that were validated with different introspection URLs. An attacker can therefore legitimately use a token to prime the cache, and...

8.1CVSS5.8AI score0.00333EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/20 8:50 p.m.5 views

Ory Oathkeeper has an authentication bypass by usage of untrusted header

Description Ory Oathkeeper is often deployed behind other components like CDNs, WAFs, or reverse proxies. Depending on the setup, another component might forward the request to the Oathkeeper proxy with a different protocol http vs. https than the original request. In order to properly match the...

6.5CVSS5.8AI score0.00233EPSS
Exploits0References4Affected Software1
Total number of security vulnerabilities33190