CWE-863
Allowed-with-ReviewIncorrect Authorization
Abstraction: Class · Status: Incomplete
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
5505 vulnerabilities reference this CWE, most recent first.
GHSA-WP87-MGVQ-5J93
Vulnerability from github – Published: 2026-07-01 20:21 – Updated: 2026-07-01 20:21An anonymous caller could create new namespaces and databases on a running SurrealDB instance without holding DEFINE NAMESPACE or DEFINE DATABASE permission.
USE NS <name> and USE DB <name> automatically create the target when it does not exist. The three places USE is handled — the RPC use method, Datastore::process_use, and the SurrealQL executor — did not check whether the caller was allowed to create the resource. Under default capabilities any session reached this path, including an unauthenticated guest.
Impact
What an attacker can do:
- Create new namespaces and databases without
DEFINE NAMESPACE/DEFINE DATABASEpermission. An unauthenticated guest is enough under default capabilities. - Recreate a parent namespace that an operator deliberately dropped, using a stale namespace-Editor token, by running
USE NS <dropped> DB anything. - Exhaust catalog storage by repeatedly creating new resources.
What it can't do:
- Read or modify data inside any pre-existing namespace or database.
- Escalate to root or namespace-owner privileges on existing resources.
- Affect deployments running with
auth_enabled=false.
Patches
All three USE entry points now check whether the caller has DEFINE NAMESPACE / DEFINE DATABASE authority before creating a missing target. Sessions still update their context regardless of authorization, so SDKs that send use before signin continue to work — only the catalog creation step is gated. The parent-namespace side-effect path is closed by the same check.
Versions 3.1.0 and later are not affected.
Workarounds
- Set
--deny-arbitrary-query *for guest principals to remove the entry point. - Run with
--authand require all callers tosigninbefore issuinguse. - Revoke namespace-level tokens promptly when a namespace is dropped.
{
"affected": [
{
"package": {
"ecosystem": "crates.io",
"name": "surrealdb"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.1.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-862",
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2026-07-01T20:21:25Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "An anonymous caller could create new namespaces and databases on a running SurrealDB instance without holding `DEFINE NAMESPACE` or `DEFINE DATABASE` permission.\n\n`USE NS \u003cname\u003e` and `USE DB \u003cname\u003e` automatically create the target when it does not exist. The three places `USE` is handled \u2014 the RPC `use` method, `Datastore::process_use`, and the SurrealQL executor \u2014 did not check whether the caller was allowed to create the resource. Under default capabilities any session reached this path, including an unauthenticated guest.\n\n### Impact\n\nWhat an attacker **can** do:\n\n- Create new namespaces and databases without `DEFINE NAMESPACE` / `DEFINE DATABASE` permission. An unauthenticated guest is enough under default capabilities.\n- Recreate a parent namespace that an operator deliberately dropped, using a stale namespace-Editor token, by running `USE NS \u003cdropped\u003e DB anything`.\n- Exhaust catalog storage by repeatedly creating new resources.\n\nWhat it **can\u0027t** do:\n\n- Read or modify data inside any pre-existing namespace or database.\n- Escalate to root or namespace-owner privileges on existing resources.\n- Affect deployments running with `auth_enabled=false`.\n\n### Patches\n\nAll three `USE` entry points now check whether the caller has `DEFINE NAMESPACE` / `DEFINE DATABASE` authority before creating a missing target. Sessions still update their context regardless of authorization, so SDKs that send `use` before `signin` continue to work \u2014 only the catalog creation step is gated. The parent-namespace side-effect path is closed by the same check.\n\nVersions 3.1.0 and later are not affected.\n\n### Workarounds\n\n- Set `--deny-arbitrary-query *` for guest principals to remove the entry point.\n- Run with `--auth` and require all callers to `signin` before issuing `use`.\n- Revoke namespace-level tokens promptly when a namespace is dropped.",
"id": "GHSA-wp87-mgvq-5j93",
"modified": "2026-07-01T20:21:25Z",
"published": "2026-07-01T20:21:25Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/surrealdb/surrealdb/security/advisories/GHSA-wp87-mgvq-5j93"
},
{
"type": "WEB",
"url": "https://github.com/surrealdb/surrealdb/commit/f3ee3bd55533c14f1fa3e69ce18fc8904c1ce3f9"
},
{
"type": "PACKAGE",
"url": "https://github.com/surrealdb/surrealdb"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L",
"type": "CVSS_V3"
}
],
"summary": "SurrealDB: USE NS/DB implicit creation bypasses DEFINE authorization"
}
GHSA-WP8C-MCG4-HH47
Vulnerability from github – Published: 2024-10-15 21:30 – Updated: 2024-10-15 21:30Vulnerability in the Oracle Field Service product of Oracle E-Business Suite (component: Field Service Engineer Portal). Supported versions that are affected are 12.2.3-12.2.13. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Field Service. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Field Service accessible data as well as unauthorized access to critical data or complete access to all Oracle Field Service accessible data. CVSS 3.1 Base Score 8.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N).
{
"affected": [],
"aliases": [
"CVE-2024-21271"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-10-15T20:15:18Z",
"severity": "HIGH"
},
"details": "Vulnerability in the Oracle Field Service product of Oracle E-Business Suite (component: Field Service Engineer Portal). Supported versions that are affected are 12.2.3-12.2.13. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Field Service. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Field Service accessible data as well as unauthorized access to critical data or complete access to all Oracle Field Service accessible data. CVSS 3.1 Base Score 8.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N).",
"id": "GHSA-wp8c-mcg4-hh47",
"modified": "2024-10-15T21:30:39Z",
"published": "2024-10-15T21:30:39Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21271"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpuoct2024.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-WP8H-M67C-CXPW
Vulnerability from github – Published: 2023-08-23 12:30 – Updated: 2024-09-16 14:37A vulnerability was found in subscription-manager that allows local privilege escalation due to inadequate authorization. The D-Bus interface com.redhat.RHSM1 exposes a significant number of methods to all users that could change the state of the registration. By using the com.redhat.RHSM1.Config.SetAll() method, a low-privileged local user could tamper with the state of the registration, by unregistering the system or by changing the current entitlements. This flaw allows an attacker to set arbitrary configuration directives for /etc/rhsm/rhsm.conf, which can be abused to cause a local privilege escalation to an unconfined root.
{
"affected": [],
"aliases": [
"CVE-2023-3899"
],
"database_specific": {
"cwe_ids": [
"CWE-285",
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-08-23T11:15:07Z",
"severity": "HIGH"
},
"details": "A vulnerability was found in subscription-manager that allows local privilege escalation due to inadequate authorization. The D-Bus interface com.redhat.RHSM1 exposes a significant number of methods to all users that could change the state of the registration. By using the com.redhat.RHSM1.Config.SetAll() method, a low-privileged local user could tamper with the state of the registration, by unregistering the system or by changing the current entitlements. This flaw allows an attacker to set arbitrary configuration directives for /etc/rhsm/rhsm.conf, which can be abused to cause a local privilege escalation to an unconfined root.",
"id": "GHSA-wp8h-m67c-cxpw",
"modified": "2024-09-16T14:37:21Z",
"published": "2023-08-23T12:30:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3899"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2023:4701"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2023:4702"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2023:4703"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2023:4704"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2023:4705"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2023:4706"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2023:4707"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2023:4708"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2023-3899"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2225407"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FJHKSBBZRDFOBNDU35FUKMYQIQYT6UJQ"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZDIHGNLS3TZVX7X2F735OKI4KXPY4AH6"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-WP8J-9R8Q-4WV8
Vulnerability from github – Published: 2024-03-27 15:30 – Updated: 2024-03-27 15:30Incorrect Authorization vulnerability in OpenText™ ZENworks Configuration Management (ZCM) allows Unauthorized Use of Device Resources.This issue affects ZENworks Configuration Management (ZCM) versions: 2020 update 3, 23.3, and 23.4.
{
"affected": [],
"aliases": [
"CVE-2023-6400"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-03-27T13:15:46Z",
"severity": "HIGH"
},
"details": "Incorrect Authorization vulnerability in OpenText\u2122 ZENworks Configuration Management (ZCM) allows Unauthorized Use of Device Resources.This issue affects ZENworks Configuration Management (ZCM) versions: 2020 update 3, 23.3, and 23.4.\n\n",
"id": "GHSA-wp8j-9r8q-4wv8",
"modified": "2024-03-27T15:30:36Z",
"published": "2024-03-27T15:30:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6400"
},
{
"type": "WEB",
"url": "https://portal.microfocus.com/s/article/KM000027630?language=en_US"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:P/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-WPFP-GWWC-VWQ6
Vulnerability from github – Published: 2026-05-21 21:30 – Updated: 2026-06-23 22:48LiteLLM prior to 1.83.10 allows a user to modify their own user_role via the /user/update endpoint. While the endpoint correctly restricts users to updating only their own account, it does not restrict which fields may be changed. A user who can reach this endpoint can set their role to proxy_admin, gaining full administrative access to LiteLLM including all users, teams, keys, models, and prompt history. Users with the org_admin role have legitimate access to this endpoint and can exploit this vulnerability without chaining any additional flaw.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "litellm"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.83.10"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-47102"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-23T22:48:10Z",
"nvd_published_at": "2026-05-21T21:16:32Z",
"severity": "HIGH"
},
"details": "LiteLLM prior to 1.83.10 allows a user to modify their own user_role via the /user/update endpoint. While the endpoint correctly restricts users to updating only their own account, it does not restrict which fields may be changed. A user who can reach this endpoint can set their role to proxy_admin, gaining full administrative access to LiteLLM including all users, teams, keys, models, and prompt history. Users with the org_admin role have legitimate access to this endpoint and can exploit this vulnerability without chaining any additional flaw.",
"id": "GHSA-wpfp-gwwc-vwq6",
"modified": "2026-06-23T22:48:10Z",
"published": "2026-05-21T21:30:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-47102"
},
{
"type": "WEB",
"url": "https://github.com/BerriAI/litellm/pull/25541"
},
{
"type": "WEB",
"url": "https://github.com/BerriAI/litellm/commit/128d32d2494b759c5d15da3452452af4c6a34c01"
},
{
"type": "WEB",
"url": "https://github.com/BerriAI/litellm/commit/e6f18ce75b111c9b93dc15c72894cbdeb53177ce"
},
{
"type": "WEB",
"url": "https://gist.github.com/13ph03nix/9ec616e1fdc77b3673509c60206e827f"
},
{
"type": "PACKAGE",
"url": "https://github.com/BerriAI/litellm"
},
{
"type": "WEB",
"url": "https://github.com/BerriAI/litellm/releases/tag/v1.83.10-stable"
},
{
"type": "WEB",
"url": "https://huntr.com/bounties/8e75edfb-ff05-4e63-bfca-2d93d03fb3b9"
},
{
"type": "WEB",
"url": "https://www.obsidiansecurity.com/blog/litellm-privilege-escalation-rce"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/litellm-privilege-escalation-via-user-update"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "LiteLLM allows a user to modify their own user_role via the /user/update endpoint"
}
GHSA-WPG8-MF6H-GM92
Vulnerability from github – Published: 2023-09-12 18:58 – Updated: 2025-02-13 19:11Apache Airflow, versions before 2.7.1, is affected by a vulnerability that allows authenticated and DAG-view authorized Users to modify some DAG run detail values when submitting notes. This could have them alter details such as configuration parameters, start date, etc.
Users should upgrade to version 2.7.1 or later which has removed the vulnerability.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "apache-airflow"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.7.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-40611"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2023-09-12T18:58:34Z",
"nvd_published_at": "2023-09-12T12:15:08Z",
"severity": "MODERATE"
},
"details": "Apache Airflow, versions before 2.7.1, is affected by a vulnerability that allows\u00a0authenticated and DAG-view authorized Users to modify some DAG run detail values when submitting notes. This could have them alter details such as configuration parameters, start date, etc.\n\nUsers should upgrade to version 2.7.1 or later which has removed the vulnerability.",
"id": "GHSA-wpg8-mf6h-gm92",
"modified": "2025-02-13T19:11:46Z",
"published": "2023-09-12T18:58:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-40611"
},
{
"type": "WEB",
"url": "https://github.com/apache/airflow/pull/33413"
},
{
"type": "WEB",
"url": "https://github.com/apache/airflow/commit/2a0106e4edf67c5905ebfcb82a6008662ae0f7ad"
},
{
"type": "WEB",
"url": "https://github.com/apache/airflow/commit/b7a46c970d638028a4a7643ad000dcee951fb9ef"
},
{
"type": "PACKAGE",
"url": "https://github.com/apache/airflow"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-170.yaml"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread/8y9xk1s3j4qr36yzqn8ogbn9fl7pxrn0"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2023/11/12/1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Apache Airflow Incorrect Authorization vulnerability"
}
GHSA-WPG9-4G4V-F9RC
Vulnerability from github – Published: 2026-03-03 21:32 – Updated: 2026-04-24 20:58Summary
In openclaw@2026.3.1, the Discord voice transcript path called agentCommand(...) without senderIsOwner, and agentCommand defaults missing senderIsOwner to true.
This could allow a non-owner voice participant in the same channel to reach owner-only tool surfaces (gateway, cron) during voice transcript turns.
Security model note
OpenClaw’s documented trust model is a personal assistant model (one trusted operator), not an adversarial multi-user boundary.
- OpenClaw does not treat one shared gateway/chat surface as a hardened per-user auth boundary.
- Mixed-trust deployments (mutually untrusted users sharing one gateway/channel) are outside recommended deployment boundaries.
This report is treated as a valid hardening/authorization bug because owner-only tool policy should still be applied consistently across chat-driven turns, including Discord voice transcript ingress.
Details
Relevant path:
1. Voice transcript run omitted senderIsOwner in Discord voice manager.
2. Missing senderIsOwner defaulted to true in agentCommand.
3. Owner-only tool policy is keyed on senderIsOwner.
4. gateway and cron are owner-only tools.
Impact
- Affects deployments where Discord voice is enabled and the bot is present in channels with non-owner participants.
- No gateway-auth boundary bypass was required.
- Practical risk depends strongly on whether the deployment is single-trust (recommended) or mixed-trust (not recommended).
Severity rationale
Downgraded from high to medium to align with OpenClaw’s trust model and deployment assumptions: - Requires participation in the same voice environment as the trusted operator workflow. - Requires Discord voice path conditions (joined voice channel + transcript flow). - Does not introduce a new cross-gateway or unauthenticated boundary bypass.
Remediation
- Always pass explicit
senderIsOwnerfrom Discord voice transcript ingress. - Fail closed (
false) when owner status is unknown for non-local/chat ingress paths. - Keep regression tests that verify owner/non-owner voice speaker handling.
Affected Packages / Versions
- Package:
openclaw(npm) - Affected versions:
<= 2026.3.1 - Patched versions:
>= 2026.3.2(released)
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2026.3.1"
},
"package": {
"ecosystem": "npm",
"name": "openclaw"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2026.3.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-32035"
],
"database_specific": {
"cwe_ids": [
"CWE-269",
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-03T21:32:25Z",
"nvd_published_at": "2026-03-19T22:16:39Z",
"severity": "MODERATE"
},
"details": "### Summary\nIn `openclaw@2026.3.1`, the Discord voice transcript path called `agentCommand(...)` without `senderIsOwner`, and `agentCommand` defaults missing `senderIsOwner` to `true`.\n\nThis could allow a non-owner voice participant in the same channel to reach owner-only tool surfaces (`gateway`, `cron`) during voice transcript turns.\n\n### Security model note\nOpenClaw\u2019s documented trust model is a **personal assistant** model (one trusted operator), not an adversarial multi-user boundary.\n\n- OpenClaw does **not** treat one shared gateway/chat surface as a hardened per-user auth boundary.\n- Mixed-trust deployments (mutually untrusted users sharing one gateway/channel) are outside recommended deployment boundaries.\n\nThis report is treated as a valid hardening/authorization bug because owner-only tool policy should still be applied consistently across chat-driven turns, including Discord voice transcript ingress.\n\n### Details\nRelevant path:\n1. Voice transcript run omitted `senderIsOwner` in Discord voice manager.\n2. Missing `senderIsOwner` defaulted to `true` in `agentCommand`.\n3. Owner-only tool policy is keyed on `senderIsOwner`.\n4. `gateway` and `cron` are owner-only tools.\n\n### Impact\n- Affects deployments where Discord voice is enabled and the bot is present in channels with non-owner participants.\n- No gateway-auth boundary bypass was required.\n- Practical risk depends strongly on whether the deployment is single-trust (recommended) or mixed-trust (not recommended).\n\n### Severity rationale\nDowngraded from high to **medium** to align with OpenClaw\u2019s trust model and deployment assumptions:\n- Requires participation in the same voice environment as the trusted operator workflow.\n- Requires Discord voice path conditions (joined voice channel + transcript flow).\n- Does not introduce a new cross-gateway or unauthenticated boundary bypass.\n\n### Remediation\n- Always pass explicit `senderIsOwner` from Discord voice transcript ingress.\n- Fail closed (`false`) when owner status is unknown for non-local/chat ingress paths.\n- Keep regression tests that verify owner/non-owner voice speaker handling.\n\n\n### Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Affected versions: `\u003c= 2026.3.1`\n- Patched versions: `\u003e= 2026.3.2` (released)",
"id": "GHSA-wpg9-4g4v-f9rc",
"modified": "2026-04-24T20:58:59Z",
"published": "2026-03-03T21:32:25Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-wpg9-4g4v-f9rc"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32035"
},
{
"type": "PACKAGE",
"url": "https://github.com/openclaw/openclaw"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/openclaw-missing-owner-flag-validation-in-discord-voice-transcript-handler"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:H/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:A/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
],
"summary": "OpenClaw: Discord voice transcript owner-flag omission could expose owner-only tools in mixed-trust channels"
}
GHSA-WPP8-FJGF-PWC7
Vulnerability from github – Published: 2025-04-01 00:30 – Updated: 2025-04-29 20:16Incorrect Authorization vulnerability in Drupal core allows Forceful Browsing.This issue affects Drupal core: from 8.0.0 before 10.3.13, from 10.4.0 before 10.4.3, from 11.0.0 before 11.0.12, from 11.1.0 before 11.1.3.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "drupal/core"
},
"ranges": [
{
"events": [
{
"introduced": "8.0.0"
},
{
"fixed": "10.3.13"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "drupal/core"
},
"ranges": [
{
"events": [
{
"introduced": "10.4.0"
},
{
"fixed": "10.4.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "drupal/core"
},
"ranges": [
{
"events": [
{
"introduced": "11.0.0"
},
{
"fixed": "11.0.12"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "drupal/core"
},
"ranges": [
{
"events": [
{
"introduced": "11.1.0"
},
{
"fixed": "11.1.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-31673"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2025-04-01T18:03:50Z",
"nvd_published_at": "2025-03-31T22:15:19Z",
"severity": "MODERATE"
},
"details": "Incorrect Authorization vulnerability in Drupal core allows Forceful Browsing.This issue affects Drupal core: from 8.0.0 before 10.3.13, from 10.4.0 before 10.4.3, from 11.0.0 before 11.0.12, from 11.1.0 before 11.1.3.",
"id": "GHSA-wpp8-fjgf-pwc7",
"modified": "2025-04-29T20:16:24Z",
"published": "2025-04-01T00:30:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-31673"
},
{
"type": "PACKAGE",
"url": "https://github.com/drupal/core"
},
{
"type": "WEB",
"url": "https://www.drupal.org/sa-core-2025-002"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Drupal Core Vulnerable to Forceful Browsing"
}
GHSA-WPPH-CJGR-7C39
Vulnerability from github – Published: 2026-03-03 23:12 – Updated: 2026-03-30 13:18Summary
channels.*.groups.*.toolsBySender could match a privileged sender policy using a colliding mutable identity value (for example senderName or senderUsername) when deployments used untyped keys.
The fix introduces explicit typed sender keys (id:, e164:, username:, name:), keeps legacy untyped keys on a deprecated ID-only path, and adds regression coverage to prevent cross-identifier collisions.
Affected Packages / Versions
- Package: npm
openclaw - Affected versions:
<= 2026.2.21-2 - Latest published npm version at triage time (February 22, 2026):
2026.2.21-2 - Patched version (planned next release):
2026.2.22
Impact
This is a sender-authorization bypass in group tool policy matching for deployments that use toolsBySender with untyped keys. Under those conditions, an attacker could inherit stronger tool permissions intended for another sender if they can force an identifier collision.
Fix Commit(s)
5547a2275cb69413af3b62c795b93214fe913b57
Release Process Note
patched_versions is pre-set to the planned next release (2026.2.22). Once that npm release is published, this advisory should only need publishing.
OpenClaw thanks @jiseoung for reporting.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "openclaw"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2026.2.22"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-32039"
],
"database_specific": {
"cwe_ids": [
"CWE-639",
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-03T23:12:21Z",
"nvd_published_at": "2026-03-19T22:16:40Z",
"severity": "MODERATE"
},
"details": "### Summary\n`channels.*.groups.*.toolsBySender` could match a privileged sender policy using a colliding mutable identity value (for example `senderName` or `senderUsername`) when deployments used untyped keys.\n\nThe fix introduces explicit typed sender keys (`id:`, `e164:`, `username:`, `name:`), keeps legacy untyped keys on a deprecated ID-only path, and adds regression coverage to prevent cross-identifier collisions.\n\n### Affected Packages / Versions\n- Package: npm `openclaw`\n- Affected versions: `\u003c= 2026.2.21-2`\n- Latest published npm version at triage time (February 22, 2026): `2026.2.21-2`\n- Patched version (planned next release): `2026.2.22`\n\n### Impact\nThis is a sender-authorization bypass in group tool policy matching for deployments that use `toolsBySender` with untyped keys. Under those conditions, an attacker could inherit stronger tool permissions intended for another sender if they can force an identifier collision.\n\n### Fix Commit(s)\n- `5547a2275cb69413af3b62c795b93214fe913b57`\n\n### Release Process Note\n`patched_versions` is pre-set to the planned next release (`2026.2.22`). Once that npm release is published, this advisory should only need publishing.\n\nOpenClaw thanks @jiseoung for reporting.",
"id": "GHSA-wpph-cjgr-7c39",
"modified": "2026-03-30T13:18:04Z",
"published": "2026-03-03T23:12:21Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-wpph-cjgr-7c39"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32039"
},
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/commit/5547a2275cb69413af3b62c795b93214fe913b57"
},
{
"type": "PACKAGE",
"url": "https://github.com/openclaw/openclaw"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/openclaw-sender-authorization-bypass-via-identity-collision-in-toolsbysender"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "OpenClaw\u0027s typed sender-key matching for toolsBySender prevents identity-collision policy bypass"
}
GHSA-WQ6J-H853-FWF7
Vulnerability from github – Published: 2025-01-30 12:31 – Updated: 2025-01-30 12:31An Improper Access Control vulnerability has been found in EmbedAI 2.1 and below. This vulnerability allows an authenticated attacker to leverage the endpoint "/embedai/visits/show/" to obtain information about the visits made by other users. The information provided by this endpoint includes IP address, userAgent and location of the user that visited the web page.
{
"affected": [],
"aliases": [
"CVE-2025-0743"
],
"database_specific": {
"cwe_ids": [
"CWE-284",
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-01-30T12:15:27Z",
"severity": "MODERATE"
},
"details": "An Improper Access Control vulnerability has been found in EmbedAI 2.1 and below. This vulnerability allows an authenticated attacker to leverage the endpoint \"/embedai/visits/show/\u003cVISIT_ID\u003e\" to obtain information about the visits made by other users. The information provided by this endpoint includes IP address, userAgent and location of the user that visited the web page.",
"id": "GHSA-wq6j-h853-fwf7",
"modified": "2025-01-30T12:31:19Z",
"published": "2025-01-30T12:31:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-0743"
},
{
"type": "WEB",
"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-embedai"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation
- Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries.
- Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
Mitigation
Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].
Mitigation MIT-4.4
Strategy: Libraries or Frameworks
- Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
- For example, consider using authorization frameworks such as the JAAS Authorization Framework [REF-233] and the OWASP ESAPI Access Control feature [REF-45].
Mitigation
- For web applications, make sure that the access control mechanism is enforced correctly at the server side on every page. Users should not be able to access any unauthorized functionality or information by simply requesting direct access to that page.
- One way to do this is to ensure that all pages containing sensitive information are not cached, and that all such pages restrict access to requests that are accompanied by an active and authenticated session token associated with a user who has the required permissions to access that page.
Mitigation
Use the access control capabilities of your operating system and server environment and define your access control lists accordingly. Use a "default deny" policy when defining these ACLs.
No CAPEC attack patterns related to this CWE.