33100 matches found
OpenClaw: Exec approval display truncation could hide the command being approved
Summary OpenClaw exec approvals could show a shortened command in the approval UI while keeping the full original command for execution. For very long commands, an approver could see and approve a benign-looking prefix while a hidden suffix remained part of the command that would run after...
OpenClaw: Message read actions could skip channel allowlist checks
Summary Message read actions could skip channel allowlist checks. In affected versions, a lower-trust caller with access to the affected message read action could request messages without the same channel allowlist check used by normal delivery. This advisory is scoped to the named feature and...
mcp-memory-service: Missing Authentication on Document API Endpoints Allows Unauthenticated Memory Read/Write/Delete
Missing Authentication on Document API Endpoints Allows Unauthenticated Memory Read/Write/Delete Summary All HTTP routes under /api/documents/ in mcp-memory-service are served without any authentication dependency, even when the server is configured with an API key MCPAPIKEY or OAuth. An...
GoFiber Vulnerable to X-Real-IP Spoofing via Header.Add() in BalancerForward
Summary The BalancerForward proxy helper in GoFiber uses Header.Add instead of Header.Set when injecting the X-Real-IP header. This appends the real client IP as a second header value rather than replacing any attacker-supplied value. Upstream servers that read the first X-Real-IP header nginx,...
GoFiber Vulnerable to Username Enumeration via Timing Oracle in BasicAuth Default Authorizer
Summary The default Authorizer function in GoFiber's BasicAuth middleware uses short-circuit evaluation that skips password hash comparison for non-existent usernames. With bcrypt-hashed passwords the primary use case, the timing difference between a valid and invalid username is approximately...
OpenClaw MCP SSE redirects could forward Authorization headers
Summary MCP SSE redirects could forward Authorization headers. In affected versions, a lower-trust caller or configured input path could execute or persist actions beyond the caller's intended authorization. This advisory is scoped to the named feature and configuration. It does not change...
Apify Model Context Protocol (MCP) server: Actor MCP path authority injection leaks Apify token
Actor MCP path authority injection leaks Apify token Summary @apify/actors-mcp-server version 0.10.7 builds Actor standby URLs by directly concatenating a trusted base URL with an attacker-controlled webServerMcpPath value taken from an Actor definition returned by the Apify API. An attacker who...
goshs: Share-link ?token=… redemption races past download limit
Share-link ?token=… redemption races past download limit Ecosystem: Go Package: goshs.de/goshs/v2 github.com/patrickhener/goshs Affected: 0 || entry.DownloadLimit == -1 // ...serve file... // = current.DownloadLimit deletefs.SharedLinks, token fs.sharedLinksMu.Unlock Between line 978 RUnlock and...
Ghost: Cache-poisoning XSS in Ghost frontend via x-ghost-preview header
Impact When Ghost is behind a shared caching layer that results in cached content being shared between different visitors e.g., Fastly, Cloudflare, nginx proxycache, and others, an unauthenticated user could send an x-ghost-preview header that altered the rendered frontend response. In affected...
goshs: WebDAV listener ignores --read-only, --upload-only, and --no-delete mode flags
WebDAV listener ignores --read-only, --upload-only, and --no-delete mode flags Ecosystem: Go Package: goshs.de/goshs/v2 github.com/patrickhener/goshs Affected: /tmp/r/x.txt goshs -p 18000 -wp 18001 -w -ro -d /tmp/r -b admin:pw & curl -u admin:pw -X PUT http://localhost:18000/y.txt --data x 403 HT...
ORAS Go forwards registry credentials across registry redirects
ORAS Go forwards registry credentials across registry redirects Reporter / public credit: JUNYI LIU Summary ORAS Go can forward registry credentials configured for one registry origin to a different HTTP origin during registry redirects. There are two related paths: 1. A manifest or metadata...
OnGres SCRAM silent channel-binding authentication downgrade via unsupported certificate algorithms
Summary A flaw in com.ongres.scram:scram-client allows an attacker capable of performing a TLS man-in-the-middle MITM attack to silently downgrade a connection from SCRAM-SHA-256-PLUS with channel binding to standard SCRAM-SHA-256 without channel binding, bypassing strict client-side enforcement...
`oras-go` tar extraction: Hardlink entry with relative Linkname escapes extract dir via process CWD resolution
Root cause The tar-extraction helper ensureLinkPath at content/file/utils.go:262-275 validates that a hardlink's target resolves inside the extract base, but then returns the original unresolved target string back to the caller: go func ensureLinkPathbaseAbs, baseRel, link, target string string,...
oras-go has file store write outside workingDir via symlink traversal
The file content store in oras-go attempts to confine writes to workingDir when AllowPathTraversalOnWrite=false, but the guard is lexical and does not account for symlink traversal. If workingDir contains a symlink path component and an attacker-controlled blob title via ocispec.AnnotationTitle...
oras-go blob upload vulnerable to credential forwarding via unvalidated Location header
Summary oras-go follows a registry-controlled Location header during the monolithic blob upload flow and reuses the Authorization header from the initial POST request for the subsequent PUT request. If a malicious registry returns a cross-host Location, oras-go can send the caller's credentials t...
Keycloak has privilege escalation via improper scope mapping enforcement
Description A flaw was found in Keycloak's Fine-Grained Admin Permissions FGAPv2 feature. An administrator with limited client management permissions can exploit this vulnerability to assign any realm role, including highly privileged roles, to a client's scope mapping. This bypasses intended...
oras-go: Malicious registry can hijack Bearer token realm to exfiltrate credentials and refresh tokens
Summary oras-go's auth.Client follows the realm URL from a registry's WWW-Authenticate: Bearer challenge without validating its scheme or host. The realm field is server-controlled by design in the OCI/distribution spec — registries legitimately point token requests at a separate auth endpoint e....
Rancher has Privilege Escalation from Project Owner to Host
Impact A vulnerability has been identified in Rancher Manager that allows users assigned the Project Owner role to modify Pod Security Admission PSA labels on namespaces within their projects. Under the default role configuration, an attacker with the following access pattern can exploit this...
Mailpit: Sibling-endpoint memory-exhaustion DoS via unbounded JSON body on /api/v1/messages, /api/v1/tags, and /api/v1/message/{id}/release (incomplete fix of GHSA-fpxj-m5q8-fphw)
Summary The fix for GHSA-fpxj-m5q8-fphw CVE-2026-45710, "Mailpit: Set a default 50MB p/m limit to prevent DoS via unlimited SMTP DATA and /api/v1/send body sizes" wrapped only POST /api/v1/send with http.MaxBytesReader. The four other Mailpit JSON-body API endpoints PUT /api/v1/messages...
@hey-api/openapi-ts's `buildClientParams` template: prototype chain substitution via unknown `$<slot>___proto__` key
Summary dist/clients/core/params.ts in @hey-api/openapi-ts ships a runtime template that is copied verbatim into every generated SDK as params.gen.ts. When a caller passes an object argument containing an unknown key starting with a slot prefix $body, $headers, $path, $query, the function strips...
Rancher has over-inclusive team membership expansion in GitHub App authentication provider
Impact A vulnerability has been identified within Rancher Manager in the GitHub App authentication provider. When evaluating permissions, the provider incorrectly expands user team memberships to include all teams within the associated GitHub organization, rather than restricting access to the...
Rancher Fleet vulnerable to cross namespace secret disclosure via unvalidated `valuesFrom` references in Helm Deployer
Impact A vulnerability in Fleet for Rancher Manager affects multi-tenancy environments where different tenants share the same downstream clusters e.g., different privileged or untrusted teams inside the same organization. On unpatched versions, tenants could bypass restrictions to access any conf...
Rancher Fleet has SSRF in Bundle Reader via Unvalidated Helm Repository URL in fleet.yaml
Impact A vulnerability has been identified in Fleet when the helmRepoURLRegex field isn't set on a GitRepo resource. Fleet's bundle reader forwards Helm authentication credentials BasicAuth to any URL specified in the helm.repo field of a fleet.yaml file. An attacker with git push access to a...
Rancher vulnerable to command injection through unsanitized YAML parameter
Impact A critical command injection vulnerability has been identified in the Rancher Manager cluster import endpoint /v3/import/tokenclusterId.yaml through unsanitized YAML parameters. This endpoint accepts an authImage query parameter that is rendered without sanitization into a generated...
Rancher Fleet has Unauthenticated Webhook: Regex Injection via Unsanitized Repository URL Components
Impact A vulnerability has been identified in Fleet when the webhook endpoint is configured without a secret; an attacker can forge webhook requests. The attacker doesn't need to know the specific repository or path configured in the GitRepo resource to make Fleet process these requests. An...
Fleet has PSS Bypass through addLabelsFromOptions in Fleet Agent
Impact A vulnerability has been identified in Fleet's agent-side deployer, which did not filter security-sensitive keys from namespaceLabels in fleet.yaml or BundleDeployment.spec.options.namespaceLabels when applying them to the target namespace. An attacker with git push access to a...
QUIC has Broken TLS verification
Impact The QUIC client did not authenticate the server during the TLS 1.3 handshake. The CertificateVerify signature was not checked, the certificate chain was not validated, and the hostname was not compared against the certificate, so verify was effectively a no-op on the client. A...
land.oras:oras-java-sdk: Symlink-based path traversal in ArchiveUtils.untar / unzip allows arbitrary file write outside extraction directory
Summary ArchiveUtils.untarInputStream, Path and ArchiveUtils.unzipInputStream, Path in land.oras:oras-java-sdk create symbolic-link entries from an archive without validating the symlink target. A malicious tar or zip shipped as an OCI layer blob can place a symlink under the extraction directory...
Centrifugo's dynamic JWKS key cache keyed only by `kid` allows cross-issuer JWT authentication bypass
Summary Centrifugo's dynamic JWKS endpoint feature can verify a JWT for one allowed issuer using a public key cached from another allowed issuer. The JWKS cache and singleflight lookup are keyed only by the JWT header kid, not by the resolved JWKS endpoint, issuer, audience, or other trust-domain...
SurrealDB: Edge PERMISSIONS FOR delete bypassed when a connected node is deleted
In SurrealDB, records can be connected as a graph: a RELATE statement creates an edge record between two node records. If either endpoint node is deleted, SurrealDB automatically removes the edge row to keep the graph consistent. A user with permission to delete a node could also delete the edges...
SurrealDB: ES512 silently downgraded to ES384 due to jsonwebtoken crate limitation
When a user configures ALGORITHM ES512 for any JWT access method DEFINE ACCESS ... TYPE JWT ALGORITHM ES512, SurrealDB silently substitutes ES384 at all four internal algorithm conversion points. This occurs because the underlying jsonwebtoken crate v10.x does not include an ES512 algorithm...
SurrealDB: Field-level SELECT permissions bypassed via indexed COUNT fast paths
A record user could learn the value of a hidden field by counting how many records match a guess. When DEFINE FIELD ... PERMISSIONS FOR select WHERE ... hides a field's contents from a caller, and that field is indexed, running SELECT count FROM t WHERE hiddenfield = "guess" GROUP ALL returned a...
SurrealDB: USE NS/DB implicit creation bypasses DEFINE authorization
An anonymous caller could create new namespaces and databases on a running SurrealDB instance without holding DEFINE NAMESPACE or DEFINE DATABASE permission. USE NS and USE DB automatically create the target when it does not exist. The three places USE is handled — the RPC use method,...
SurrealDB: Port-specific --deny-net rules silently bypassed on HTTP redirect
SurrealDB offers http:: functions that can access external network endpoints, with the --allow-net and --deny-net capabilities used to restrict the set of network targets that can be reached. An authenticated user of SurrealDB can bypass a port-scoped --deny-net : rule by chaining an HTTP redirec...
SurrealDB: Authenticated subscribers can read records hidden by SELECT permissions via LIVE subscriptions
A record user could read records the table's SELECT permission expression should have hidden, when that expression referenced $value, $before, $after, or $event. Binding a chosen value to that name before registering a LIVE SELECT caused notifications to evaluate the permission against the...
SurrealDB: `RELATE` overwrites existing edge records without `UPDATE` permission
RELATE creates an edge record between two existing records, and SurrealDB enforces the CREATE permission on the edge table for this operation. When the statement included a SET id = edge:existing clause, however, the new edge's id ended up pointing at an record that was already in storage. Rather...
SurrealDB has bypass of field-level SELECT permissions through JSON Patch `copy` and `move` with empty `from`
SurrealDB lets callers modify records using JSON Patch operations via the UPDATE … PATCH statement and SDK equivalents such as db.patch. One of those operations is copy, which duplicates one field's value into another field of the same record. A PATCH with an empty from — for example, UPDATE...
SurrealDB: Authenticated callers can read fields hidden by field-level SELECT permissions via error messages
A record user with UPDATE access could read field values that field-level SELECT permissions hid from them. Arithmetic operators and extend embedded the raw operand into their error messages, and UPDATE permission checks evaluate against the unreduced document — so triggering such an error agains...
SurrealDB: LIVE query subscriptions survive session state changes, bypassing access controls
A LIVE SELECT subscription records the user's auth state $auth, $token, $session, $access when it is registered, and the server uses that recorded state to evaluate the table- and row-level PERMISSIONS clauses for every subsequent notification. The recorded state is never refreshed. When somethin...
SurrealDB vulnerable to pre-auth memory amplification via unbounded `/sql` WebSocket frames
An anonymous caller could degrade /sql availability by streaming WebSocket frames many times larger than the operator-configured per-connection limit. The /sql upgrade handler accepted anonymous connections and did not propagate SURREALWEBSOCKETMAXMESSAGESIZE to the WebSocket protocol layer —...
SurrealDB: Authorization Bypass in KILL Statement Allows Termination of Other Users' Live Queries
The KILL statement is used to terminate LIVE SELECT subscriptions that capture real-time changes to data within a table. The KILL statement implementation in core/src/expr/statements/kill.rs verifies that the requesting user has database-level access, but does not verify that the requesting user ...
SurrealDB: Crafting malicious LIVE queries writes to the database, resulting in DoS, without permission to the table required
A LIVE query whose WHERE clause evaluates to an error caused the source data modifier the user creating, updating, or deleting a record on the watched table to fail instead. Calling any arbitrary SurrealQL function with a typed parameter and passing a value of the wrong type — for example LIVE...
SurrealDB has an Authorization Bypass via Composite Record-id Paths
An authenticated user could bypass permission rules that gated access on parts of a record's id — most commonly tenant-isolation rules of the form PERMISSIONS FOR select WHERE id.tenant = $auth.id.tenant. The same defect also let UNIQUE constraints defined on parts of an id admit duplicate entrie...
SurrealDB: Graph traversal bypasses table SELECT permissions
An authenticated record or scope user could read records on any table reachable through a graph edge or REFERENCES TO back-reference, regardless of that table's PERMISSIONS FOR select clause. Traversing SELECT FROM source-edge-target returned full documents from target even when target was define...
SurrealDB: Scraping a TABLE with no available PERMISSIONS to current auth level
A vulnerability was discovered where the user-supplied WHERE clause in a SELECT statement is evaluated against the full record data before PERMISSIONS FOR SELECT WHERE determines whether the principal is authorised to access that record. A side-effecting expression in the WHERE clause can...
SurrealDB vulnerable to Denial of Service due to nested types annotations
The SurrealDB type/kind parser did not enforce the configured recursion depth limit when parsing nested type annotations. The expression parser already enforced the limit for analogous constructs; the kind parser omitted it. An authenticated attacker could send a query with deeply nested type...
SurrealDB has unauthenticated remote DoS via malformed RPC `use` call
A single unauthenticated WebSocket message to /rpc crashed the SurrealDB server. Sending use db: "x" without first selecting a namespace hit .expect"namespace should be set" in the use handler; because surrealdb-core is built with panic = 'abort', the panic terminated the process. use is callable...
SurrealDB has Denial of Service in JSON parser due to nested objects
The SurrealDB value and JSON parser did not enforce the configured recursion depth limit when parsing nested , , or tokens. The expression parser already enforced the limit for these tokens; the value/JSON parser omitted it. An unauthenticated attacker could send a deeply nested JSON payload to t...
SurrealDB: HTTP RPC Session Race Condition Allows Privilege Escalation
The HTTP /rpc endpoint has a time-of-check/time-of-use TOCTOU race condition on internal session state. When authenticated and unauthenticated requests are processed concurrently, the unauthenticated request can inherit the authenticated user's session and privileges. The /rpc endpoint is the...
SurrealDB: HTTP /rpc `sessions` method leaks attached session UUIDs, enabling full session hijack by anonymous callers
The HTTP /rpc sessions method returned every attached session UUID without authentication, and the /rpc handler accepted an arbitrary session field with no ownership check. An anonymous caller could enumerate UUIDs and impersonate any authenticated session. "Attached" means sessions registered vi...