CWE-863
Allowed-with-ReviewIncorrect Authorization
Abstraction: Class · Status: Incomplete
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
5548 vulnerabilities reference this CWE, most recent first.
GHSA-V987-5JRJ-J3XX
Vulnerability from github – Published: 2022-07-16 00:00 – Updated: 2022-07-22 00:00An issue was discovered in Inductive Automation Ignition before 7.9.20 and 8.x before 8.1.17. Designer and Vision Client Session IDs are mishandled. An attacker can determine which session IDs were generated in the past and then hijack sessions assigned to these IDs via Randy.
{
"affected": [],
"aliases": [
"CVE-2022-35890"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-07-15T21:15:00Z",
"severity": "CRITICAL"
},
"details": "An issue was discovered in Inductive Automation Ignition before 7.9.20 and 8.x before 8.1.17. Designer and Vision Client Session IDs are mishandled. An attacker can determine which session IDs were generated in the past and then hijack sessions assigned to these IDs via Randy.",
"id": "GHSA-v987-5jrj-j3xx",
"modified": "2022-07-22T00:00:38Z",
"published": "2022-07-16T00:00:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-35890"
},
{
"type": "WEB",
"url": "https://github.com/sourceincite/randy"
},
{
"type": "WEB",
"url": "https://support.inductiveautomation.com/hc/en-us/articles/7625759776653"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-V9H9-P74G-4CCW
Vulnerability from github – Published: 2022-05-05 00:00 – Updated: 2022-05-14 00:03An improper access control vulnerability [CWE-284] in FortiIsolator versions 2.3.2 and below may allow an authenticated, non privileged attacker to regenerate the CA certificate via the regeneration URL.
{
"affected": [],
"aliases": [
"CVE-2021-41020"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-05-04T16:15:00Z",
"severity": "HIGH"
},
"details": "An improper access control vulnerability [CWE-284] in FortiIsolator versions 2.3.2 and below may allow an authenticated, non privileged attacker to regenerate the CA certificate via the regeneration URL.",
"id": "GHSA-v9h9-p74g-4ccw",
"modified": "2022-05-14T00:03:36Z",
"published": "2022-05-05T00:00:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-41020"
},
{
"type": "WEB",
"url": "https://fortiguard.com/psirt/FG-IR-21-040"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-V9JR-G692-6QHV
Vulnerability from github – Published: 2022-07-27 00:00 – Updated: 2022-07-30 00:00Inappropriate implementation in WebGL in Google Chrome prior to 101.0.4951.41 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
{
"affected": [],
"aliases": [
"CVE-2022-1482"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-07-26T22:15:00Z",
"severity": "MODERATE"
},
"details": "Inappropriate implementation in WebGL in Google Chrome prior to 101.0.4951.41 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.",
"id": "GHSA-v9jr-g692-6qhv",
"modified": "2022-07-30T00:00:19Z",
"published": "2022-07-27T00:00:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1482"
},
{
"type": "WEB",
"url": "https://chromereleases.googleblog.com/2022/04/stable-channel-update-for-desktop_26.html"
},
{
"type": "WEB",
"url": "https://crbug.com/1304987"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202208-25"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-V9M4-696P-QH68
Vulnerability from github – Published: 2023-12-12 03:31 – Updated: 2023-12-12 03:31Due to lack of proper authorization checks in Emarsys SDK for Android, an attacker can call a particular activity and can forward himself web pages and/or deep links without any validation directly from the host application. On successful attack, an attacker could navigate to arbitrary URL including application deep links on the device.
{
"affected": [],
"aliases": [
"CVE-2023-6542"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-12-12T02:15:09Z",
"severity": "HIGH"
},
"details": "Due to lack of proper authorization checks in Emarsys SDK for Android, an attacker can call a particular activity and can forward himself web pages and/or deep links without any validation directly from the host application. On successful attack, an attacker could navigate to arbitrary URL including application deep links on the device.\n\n",
"id": "GHSA-v9m4-696p-qh68",
"modified": "2023-12-12T03:31:45Z",
"published": "2023-12-12T03:31:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6542"
},
{
"type": "WEB",
"url": "https://me.sap.com/notes/3406244"
},
{
"type": "WEB",
"url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-V9RC-F4WG-2JRV
Vulnerability from github – Published: 2022-05-24 19:14 – Updated: 2022-07-13 00:01Under certain conditions, SAP Business One version - 10.0, allows an unauthorized attacker to get access to some encrypted sensitive information, but does not have control over kind or degree.
{
"affected": [],
"aliases": [
"CVE-2021-33686"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-09-14T12:15:00Z",
"severity": "MODERATE"
},
"details": "Under certain conditions, SAP Business One version - 10.0, allows an unauthorized attacker to get access to some encrypted sensitive information, but does not have control over kind or degree.",
"id": "GHSA-v9rc-f4wg-2jrv",
"modified": "2022-07-13T00:01:26Z",
"published": "2022-05-24T19:14:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-33686"
},
{
"type": "WEB",
"url": "https://launchpad.support.sap.com/#/notes/3070138"
},
{
"type": "WEB",
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=585106405"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-V9VJ-VPG8-VQMJ
Vulnerability from github – Published: 2022-05-24 17:47 – Updated: 2022-08-06 00:00In Fibaro Home Center 2 and Lite devices with firmware version 4.600 and older an internal management service is accessible on port 8000 and some API endpoints could be accessed without authentication to trigger a shutdown, a reboot or a reboot into recovery mode.
{
"affected": [],
"aliases": [
"CVE-2021-20990"
],
"database_specific": {
"cwe_ids": [
"CWE-306",
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-04-19T14:15:00Z",
"severity": "HIGH"
},
"details": "In Fibaro Home Center 2 and Lite devices with firmware version 4.600 and older an internal management service is accessible on port 8000 and some API endpoints could be accessed without authentication to trigger a shutdown, a reboot or a reboot into recovery mode.",
"id": "GHSA-v9vj-vpg8-vqmj",
"modified": "2022-08-06T00:00:41Z",
"published": "2022-05-24T17:47:46Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-20990"
},
{
"type": "WEB",
"url": "https://www.iot-inspector.com/blog/advisory-fibaro-home-center"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/162243/Fibaro-Home-Center-MITM-Missing-Authentication-Code-Execution.html"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2021/Apr/27"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-V9W3-34XQ-HRJG
Vulnerability from github – Published: 2023-12-13 18:31 – Updated: 2023-12-18 21:43Jenkins PaaSLane Estimate Plugin 1.0.4 and earlier does not mask PaaSLane authentication tokens displayed on the job configuration form, increasing the potential for attackers to observe and capture them.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "com.cloudtp.jenkins:paaslane-estimate"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "1.0.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-50777"
],
"database_specific": {
"cwe_ids": [
"CWE-312",
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2023-12-13T23:15:24Z",
"nvd_published_at": "2023-12-13T18:15:44Z",
"severity": "MODERATE"
},
"details": "Jenkins PaaSLane Estimate Plugin 1.0.4 and earlier does not mask PaaSLane authentication tokens displayed on the job configuration form, increasing the potential for attackers to observe and capture them.",
"id": "GHSA-v9w3-34xq-hrjg",
"modified": "2023-12-18T21:43:29Z",
"published": "2023-12-13T18:31:04Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-50777"
},
{
"type": "PACKAGE",
"url": "https://github.com/jenkinsci/paaslane-plugin"
},
{
"type": "WEB",
"url": "https://www.jenkins.io/security/advisory/2023-12-13/#SECURITY-3182"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2023/12/13/4"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Tokens stored in plain text by PaaSLane Estimate Plugin "
}
GHSA-V9W4-GM2X-6RVF
Vulnerability from github – Published: 2026-04-08 00:04 – Updated: 2026-04-08 00:04When an admin revokes a user's Share and Download permissions, existing share links created by that user remain fully accessible to unauthenticated users. The public share download handler does not re-check the share owner's current permissions. Verified with a running PoC against v2.62.2 (commit 860c19d).
Details
Share creation (http/share.go:21-29) correctly checks permissions:
func withPermShare(fn handleFunc) handleFunc {
return withUser(func(w http.ResponseWriter, r *http.Request, d *data) (int, error) {
if !d.user.Perm.Share || !d.user.Perm.Download {
return http.StatusForbidden, nil
}
return fn(w, r, d)
})
}
But share access (http/public.go:18-87, withHashFile) does not:
var withHashFile = func(fn handleFunc) handleFunc {
return func(w http.ResponseWriter, r *http.Request, d *data) (int, error) {
link, err := d.store.Share.GetByHash(id) // line 21: checks share exists
authenticateShareRequest(r, link) // line 26: checks password
user, err := d.store.Users.Get(...) // line 31: checks user exists
d.user = user // line 36: sets user
file, err := files.NewFileInfo(...) // line 38: gets file
// MISSING: no check for d.user.Perm.Share or d.user.Perm.Download
}
}
Proof of Concept (runtime-verified)
# Step 1: Login as admin
TOKEN=$(curl -s -X POST http://localhost:18080/api/login \
-H "Content-Type: application/json" \
-d '{"username":"admin","password":"<admin-password>"}')
# Step 2: Create testuser with Share+Download permissions
curl -X POST http://localhost:18080/api/users \
-H "X-Auth: $TOKEN" -H "Content-Type: application/json" \
-d '{"what":"user","which":[],"current_password":"<admin-password>",
"data":{"username":"testuser","password":"TestPass123!","scope":".",
"perm":{"share":true,"download":true,"create":true}}}'
# Step 3: Login as testuser and create share
USER_TOKEN=$(curl -s -X POST http://localhost:18080/api/login \
-H "Content-Type: application/json" \
-d '{"username":"testuser","password":"TestPass123!"}')
curl -X POST http://localhost:18080/api/share/secret.txt \
-H "X-Auth: $USER_TOKEN" -H "Content-Type: application/json" -d '{}'
# Returns: {"hash":"fB4Qwtsn","path":"/secret.txt","userID":2,"expire":0}
# Step 4: Verify share works (unauthenticated)
curl http://localhost:18080/api/public/dl/fB4Qwtsn
# Returns: file content (200 OK)
# Step 5: Admin revokes testuser's Share and Download permissions
curl -X PUT http://localhost:18080/api/users/2 \
-H "X-Auth: $TOKEN" -H "Content-Type: application/json" \
-d '{"what":"user","which":["all"],"current_password":"<admin-password>",
"data":{"id":2,"username":"testuser","scope":".",
"perm":{"share":false,"download":false,"create":true}}}'
# Step 6: Verify testuser CANNOT create new shares
curl -X POST http://localhost:18080/api/share/secret.txt \
-H "X-Auth: $USER_TOKEN" -d '{}'
# Returns: 403 Forbidden (correct)
# Step 7: THE BUG - old share STILL works
curl http://localhost:18080/api/public/dl/fB4Qwtsn
# Returns: file content (200 OK) - SHOULD be 403
Impact
When an admin revokes a user's Share or Download permissions: - New share creation is correctly blocked (403) - But all existing shares created by that user remain fully accessible to unauthenticated users - The admin has a false sense of security: they believe revoking Share permission stops all sharing
This is the same vulnerability class as GHSA-68j5-4m99-w9w9 ("Authorization Policy Bypass in Public Share Download Flow").
Suggested Fix
Add permission re-validation in withHashFile:
user, err := d.store.Users.Get(d.server.Root, link.UserID)
if err != nil {
return errToStatus(err), err
}
// Verify the share owner still has Share and Download permissions
if !user.Perm.Share || !user.Perm.Download {
return http.StatusForbidden, nil
}
d.user = user
Update: Fix submitted as PR #5888.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/filebrowser/filebrowser/v2"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.63.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-35604"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-08T00:04:59Z",
"nvd_published_at": "2026-04-07T17:16:34Z",
"severity": "HIGH"
},
"details": "When an admin revokes a user\u0027s Share and Download permissions, existing share links created by that user remain fully accessible to unauthenticated users. The public share download handler does not re-check the share owner\u0027s current permissions. Verified with a running PoC against v2.62.2 (commit 860c19d).\n\n## Details\n\nShare creation (`http/share.go:21-29`) correctly checks permissions:\n\n func withPermShare(fn handleFunc) handleFunc {\n return withUser(func(w http.ResponseWriter, r *http.Request, d *data) (int, error) {\n if !d.user.Perm.Share || !d.user.Perm.Download {\n return http.StatusForbidden, nil\n }\n return fn(w, r, d)\n })\n }\n\nBut share access (`http/public.go:18-87`, `withHashFile`) does not:\n\n var withHashFile = func(fn handleFunc) handleFunc {\n return func(w http.ResponseWriter, r *http.Request, d *data) (int, error) {\n link, err := d.store.Share.GetByHash(id) // line 21: checks share exists\n authenticateShareRequest(r, link) // line 26: checks password\n user, err := d.store.Users.Get(...) // line 31: checks user exists\n d.user = user // line 36: sets user\n file, err := files.NewFileInfo(...) // line 38: gets file\n // MISSING: no check for d.user.Perm.Share or d.user.Perm.Download\n }\n }\n\n## Proof of Concept (runtime-verified)\n\n # Step 1: Login as admin\n TOKEN=$(curl -s -X POST http://localhost:18080/api/login \\\n -H \"Content-Type: application/json\" \\\n -d \u0027{\"username\":\"admin\",\"password\":\"\u003cadmin-password\u003e\"}\u0027)\n\n # Step 2: Create testuser with Share+Download permissions\n curl -X POST http://localhost:18080/api/users \\\n -H \"X-Auth: $TOKEN\" -H \"Content-Type: application/json\" \\\n -d \u0027{\"what\":\"user\",\"which\":[],\"current_password\":\"\u003cadmin-password\u003e\",\n \"data\":{\"username\":\"testuser\",\"password\":\"TestPass123!\",\"scope\":\".\",\n \"perm\":{\"share\":true,\"download\":true,\"create\":true}}}\u0027\n\n # Step 3: Login as testuser and create share\n USER_TOKEN=$(curl -s -X POST http://localhost:18080/api/login \\\n -H \"Content-Type: application/json\" \\\n -d \u0027{\"username\":\"testuser\",\"password\":\"TestPass123!\"}\u0027)\n curl -X POST http://localhost:18080/api/share/secret.txt \\\n -H \"X-Auth: $USER_TOKEN\" -H \"Content-Type: application/json\" -d \u0027{}\u0027\n # Returns: {\"hash\":\"fB4Qwtsn\",\"path\":\"/secret.txt\",\"userID\":2,\"expire\":0}\n\n # Step 4: Verify share works (unauthenticated)\n curl http://localhost:18080/api/public/dl/fB4Qwtsn\n # Returns: file content (200 OK)\n\n # Step 5: Admin revokes testuser\u0027s Share and Download permissions\n curl -X PUT http://localhost:18080/api/users/2 \\\n -H \"X-Auth: $TOKEN\" -H \"Content-Type: application/json\" \\\n -d \u0027{\"what\":\"user\",\"which\":[\"all\"],\"current_password\":\"\u003cadmin-password\u003e\",\n \"data\":{\"id\":2,\"username\":\"testuser\",\"scope\":\".\",\n \"perm\":{\"share\":false,\"download\":false,\"create\":true}}}\u0027\n\n # Step 6: Verify testuser CANNOT create new shares\n curl -X POST http://localhost:18080/api/share/secret.txt \\\n -H \"X-Auth: $USER_TOKEN\" -d \u0027{}\u0027\n # Returns: 403 Forbidden (correct)\n\n # Step 7: THE BUG - old share STILL works\n curl http://localhost:18080/api/public/dl/fB4Qwtsn\n # Returns: file content (200 OK) - SHOULD be 403\n\n## Impact\n\nWhen an admin revokes a user\u0027s Share or Download permissions:\n- New share creation is correctly blocked (403)\n- But all existing shares created by that user remain fully accessible to unauthenticated users\n- The admin has a false sense of security: they believe revoking Share permission stops all sharing\n\nThis is the same vulnerability class as GHSA-68j5-4m99-w9w9 (\"Authorization Policy Bypass in Public Share Download Flow\").\n\n## Suggested Fix\n\nAdd permission re-validation in `withHashFile`:\n\n user, err := d.store.Users.Get(d.server.Root, link.UserID)\n if err != nil {\n return errToStatus(err), err\n }\n\n // Verify the share owner still has Share and Download permissions\n if !user.Perm.Share || !user.Perm.Download {\n return http.StatusForbidden, nil\n }\n\n d.user = user\n\n---\n\n**Update:** Fix submitted as PR #5888.",
"id": "GHSA-v9w4-gm2x-6rvf",
"modified": "2026-04-08T00:04:59Z",
"published": "2026-04-08T00:04:59Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/filebrowser/filebrowser/security/advisories/GHSA-v9w4-gm2x-6rvf"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35604"
},
{
"type": "WEB",
"url": "https://github.com/filebrowser/filebrowser/pull/5888"
},
{
"type": "PACKAGE",
"url": "https://github.com/filebrowser/filebrowser"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "File Browser share links remain accessible after Share/Download permissions are revoked"
}
GHSA-VC32-H5MQ-453V
Vulnerability from github – Published: 2026-04-09 17:34 – Updated: 2026-05-06 02:41Impact
/allowlist omits owner-only enforcement for cross-channel allowlist writes.
An authorized non-owner sender could attempt allowlist writes against a different channel.
OpenClaw is a user-controlled local assistant. This advisory is scoped to the OpenClaw trust model and does not assume a multi-tenant service boundary.
Affected Packages / Versions
- Package:
openclaw(npm) - Affected versions:
<=v2026.4.1 - Patched versions:
2026.4.8
Fix
The issue was fixed on main and is available in the patched npm version listed above. The verified fixed tree is commit d7c3210cd6f5fdfdc1beff4c9541673e814354d5.
Verification
The fix was re-checked against main before publication, including targeted regression tests for the affected security boundary.
Credits
Thanks @zsxsoft and @KeenSecurityLab for reporting.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "openclaw"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2026.4.8"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-41910"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-09T17:34:33Z",
"nvd_published_at": "2026-04-28T19:37:44Z",
"severity": "MODERATE"
},
"details": "## Impact\n\n/allowlist omits owner-only enforcement for cross-channel allowlist writes.\n\nAn authorized non-owner sender could attempt allowlist writes against a different channel.\n\nOpenClaw is a user-controlled local assistant. This advisory is scoped to the OpenClaw trust model and does not assume a multi-tenant service boundary.\n\n## Affected Packages / Versions\n\n- Package: `openclaw` (npm)\n- Affected versions: `\u003c=v2026.4.1`\n- Patched versions: `2026.4.8`\n\n## Fix\n\nThe issue was fixed on `main` and is available in the patched npm version listed above. The verified fixed tree is commit `d7c3210cd6f5fdfdc1beff4c9541673e814354d5`.\n\n## Verification\n\nThe fix was re-checked against `main` before publication, including targeted regression tests for the affected security boundary.\n\n## Credits\n\nThanks @zsxsoft and @KeenSecurityLab for reporting.",
"id": "GHSA-vc32-h5mq-453v",
"modified": "2026-05-06T02:41:10Z",
"published": "2026-04-09T17:34:33Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-vc32-h5mq-453v"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41910"
},
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/commit/d7c3210cd6f5fdfdc1beff4c9541673e814354d5"
},
{
"type": "PACKAGE",
"url": "https://github.com/openclaw/openclaw"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/openclaw-missing-owner-only-enforcement-in-allowlist-cross-channel-writes"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "OpenClaw: /allowlist omits owner-only enforcement for cross-channel allowlist writes"
}
GHSA-VC3V-RGF8-2C4V
Vulnerability from github – Published: 2021-12-24 00:00 – Updated: 2021-12-29 00:01Insufficient policy enforcement in background fetch in Google Chrome prior to 96.0.4664.45 allowed a remote attacker to bypass same origin policy via a crafted HTML page.
{
"affected": [],
"aliases": [
"CVE-2021-38016"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-12-23T01:15:00Z",
"severity": "HIGH"
},
"details": "Insufficient policy enforcement in background fetch in Google Chrome prior to 96.0.4664.45 allowed a remote attacker to bypass same origin policy via a crafted HTML page.",
"id": "GHSA-vc3v-rgf8-2c4v",
"modified": "2021-12-29T00:01:09Z",
"published": "2021-12-24T00:00:55Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-38016"
},
{
"type": "WEB",
"url": "https://chromereleases.googleblog.com/2021/11/stable-channel-update-for-desktop.html"
},
{
"type": "WEB",
"url": "https://crbug.com/1244289"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3W46HRT2UVHWSLZB6JZHQF6JNQWKV744"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2022/dsa-5046"
}
],
"schema_version": "1.4.0",
"severity": []
}
Mitigation
- Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries.
- Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
Mitigation
Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].
Mitigation MIT-4.4
Strategy: Libraries or Frameworks
- Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
- For example, consider using authorization frameworks such as the JAAS Authorization Framework [REF-233] and the OWASP ESAPI Access Control feature [REF-45].
Mitigation
- For web applications, make sure that the access control mechanism is enforced correctly at the server side on every page. Users should not be able to access any unauthorized functionality or information by simply requesting direct access to that page.
- One way to do this is to ensure that all pages containing sensitive information are not cached, and that all such pages restrict access to requests that are accompanied by an active and authenticated session token associated with a user who has the required permissions to access that page.
Mitigation
Use the access control capabilities of your operating system and server environment and define your access control lists accordingly. Use a "default deny" policy when defining these ACLs.
No CAPEC attack patterns related to this CWE.