CWE-436
Interpretation Conflict
Product A handles inputs or steps differently than Product B, which causes A to perform incorrect actions based on its perception of B's state.
CVE-2026-0958 (GCVE-0-2026-0958)
Vulnerability from cvelistv5 – Published: 2026-02-11 11:33 – Updated: 2026-02-11 15:19- CWE-436 - Interpretation Conflict
| URL | Tags |
|---|---|
| https://gitlab.com/gitlab-org/gitlab/-/issues/586202 | issue-trackingpermissions-required |
| https://hackerone.com/reports/3463363 | technical-descriptionexploitpermissions-required |
| https://about.gitlab.com/releases/2026/02/10/patc… |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-0958",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-11T15:19:34.582283Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-11T15:19:41.414Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "GitLab",
"repo": "git://git@gitlab.com:gitlab-org/gitlab.git",
"vendor": "GitLab",
"versions": [
{
"lessThan": "18.6.6",
"status": "affected",
"version": "18.4",
"versionType": "semver"
},
{
"lessThan": "18.7.4",
"status": "affected",
"version": "18.7",
"versionType": "semver"
},
{
"lessThan": "18.8.4",
"status": "affected",
"version": "18.8",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Thanks [elbo7](https://hackerone.com/elbo7) for reporting this vulnerability through our HackerOne bug bounty program"
}
],
"descriptions": [
{
"lang": "en",
"value": "GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.4 before 18.6.6, 18.7 before 18.7.4, and 18.8 before 18.8.4 that could have allowed an unauthenticated user to cause denial of service through memory or CPU exhaustion by bypassing JSON validation middleware limits."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-436",
"description": "CWE-436: Interpretation Conflict",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-11T11:33:46.426Z",
"orgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a",
"shortName": "GitLab"
},
"references": [
{
"name": "GitLab Issue #586202",
"tags": [
"issue-tracking",
"permissions-required"
],
"url": "https://gitlab.com/gitlab-org/gitlab/-/issues/586202"
},
{
"name": "HackerOne Bug Bounty Report #3463363",
"tags": [
"technical-description",
"exploit",
"permissions-required"
],
"url": "https://hackerone.com/reports/3463363"
},
{
"url": "https://about.gitlab.com/releases/2026/02/10/patch-release-gitlab-18-8-4-released/"
}
],
"solutions": [
{
"lang": "en",
"value": "Upgrade to versions 18.6.6, 18.7.4, 18.8.4 or above."
}
],
"title": "Interpretation Conflict in GitLab"
}
},
"cveMetadata": {
"assignerOrgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a",
"assignerShortName": "GitLab",
"cveId": "CVE-2026-0958",
"datePublished": "2026-02-11T11:33:46.426Z",
"dateReserved": "2026-01-14T19:33:49.737Z",
"dateUpdated": "2026-02-11T15:19:41.414Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-13676 (GCVE-0-2026-13676)
Vulnerability from cvelistv5 – Published: 2026-06-29 13:22 – Updated: 2026-07-02 12:05| URL | Tags |
|---|---|
| https://github.com/fastify/fast-uri/security/advi… | |
| https://cna.openjsf.org/security-advisories.html | |
| https://access.redhat.com/security/cve/CVE-2026-13676 | vdb-entryx_refsource_REDHAT |
| https://bugzilla.redhat.com/show_bug.cgi?id=2494197 | issue-trackingx_refsource_REDHAT |
| https://security.access.redhat.com/data/csaf/v2/v… | x_sadp-csaf-vex |
| Vendor | Product | Version | |
|---|---|---|---|
| fast-uri | fast-uri |
Affected:
4.0.0 , < 4.0.1
(semver)
Unaffected: 4.0.1 (semver) Affected: 2.3.1 , < 3.1.3 (semver) Unaffected: 3.1.3 (semver) |
|
| Red Hat | Confidential Compute Attestation |
cpe:/a:redhat:confidential_compute_attestation:1 |
|
| Red Hat | Cryostat 4 |
cpe:/a:redhat:cryostat:4 |
|
| Red Hat | Migration Toolkit for Applications 8 |
cpe:/a:redhat:migration_toolkit_applications:8 |
|
| Red Hat | Migration Toolkit for Containers |
cpe:/a:redhat:rhmt:1 |
|
| Red Hat | Multicluster Engine for Kubernetes |
cpe:/a:redhat:multicluster_engine |
|
| Red Hat | Network Observability Operator |
cpe:/a:redhat:network_observ_optr:1 |
|
| Red Hat | OpenShift Lightspeed |
cpe:/a:redhat:openshift_lightspeed |
|
| Red Hat | OpenShift Pipelines |
cpe:/a:redhat:openshift_pipelines:1 |
|
| Red Hat | OpenShift Serverless |
cpe:/a:redhat:serverless:1 |
|
| Red Hat | Red Hat Advanced Cluster Management for Kubernetes 2 |
cpe:/a:redhat:acm:2 |
|
| Red Hat | Red Hat AMQ Broker 7 |
cpe:/a:redhat:amq_broker:7 |
|
| Red Hat | Red Hat Ansible Automation Platform 2 |
cpe:/a:redhat:ansible_automation_platform:2 |
|
| Red Hat | Red Hat build of Apache Camel - HawtIO 4 |
cpe:/a:redhat:apache_camel_hawtio:4 |
|
| Red Hat | Red Hat build of Apicurio Registry 3 |
cpe:/a:redhat:apicurio_registry:3 |
|
| Red Hat | Red Hat Build of Podman Desktop |
cpe:/a:redhat:podman_desktop:1 |
|
| Red Hat | Red Hat Connectivity Link 1 |
cpe:/a:redhat:connectivity_link:1 |
|
| Red Hat | Red Hat Data Grid 8 |
cpe:/a:redhat:jboss_data_grid:8 |
|
| Red Hat | Red Hat Developer Hub |
cpe:/a:redhat:rhdh:1 |
|
| Red Hat | Red Hat Discovery 2 |
cpe:/a:redhat:discovery:2::el9 |
|
| Red Hat | Red Hat Edge Manager 1 |
cpe:/a:redhat:edge_manager:1 |
|
| Red Hat | Red Hat Enterprise Linux 10 |
cpe:/o:redhat:enterprise_linux:10 |
|
| Red Hat | Red Hat Enterprise Linux 9 |
cpe:/o:redhat:enterprise_linux:9 |
|
| Red Hat | Red Hat Enterprise Linux AI (RHEL AI) 3 |
cpe:/a:redhat:enterprise_linux_ai:3 |
|
| Red Hat | Red Hat OpenShift AI (RHOAI) |
cpe:/a:redhat:openshift_ai |
|
| Red Hat | Red Hat OpenShift Container Platform 4 |
cpe:/a:redhat:openshift:4 |
|
| Red Hat | Red Hat Openshift Data Foundation 4 |
cpe:/a:redhat:openshift_data_foundation:4 |
|
| Red Hat | Red Hat OpenShift Dev Spaces |
cpe:/a:redhat:openshift_devspaces:3 |
|
| Red Hat | Red Hat OpenShift Virtualization 4 |
cpe:/a:redhat:container_native_virtualization:4 |
|
| Red Hat | Red Hat Quay 3 |
cpe:/a:redhat:quay:3 |
|
| Red Hat | Red Hat Satellite 6 |
cpe:/a:redhat:satellite:6 |
|
| Red Hat | Self-service automation portal 2 |
cpe:/a:redhat:ansible_portal:2 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-13676",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-29T13:53:20.906495Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-29T13:53:31.092Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"affected": [
{
"cpes": [
"cpe:/a:redhat:confidential_compute_attestation:1"
],
"defaultStatus": "affected",
"product": "Confidential Compute Attestation",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:cryostat:4"
],
"defaultStatus": "affected",
"product": "Cryostat 4",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:migration_toolkit_applications:8"
],
"defaultStatus": "affected",
"product": "Migration Toolkit for Applications 8",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhmt:1"
],
"defaultStatus": "affected",
"product": "Migration Toolkit for Containers",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:multicluster_engine"
],
"defaultStatus": "affected",
"product": "Multicluster Engine for Kubernetes",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:network_observ_optr:1"
],
"defaultStatus": "affected",
"product": "Network Observability Operator",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift_lightspeed"
],
"defaultStatus": "affected",
"product": "OpenShift Lightspeed",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift_pipelines:1"
],
"defaultStatus": "affected",
"product": "OpenShift Pipelines",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:serverless:1"
],
"defaultStatus": "affected",
"product": "OpenShift Serverless",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:acm:2"
],
"defaultStatus": "affected",
"product": "Red Hat Advanced Cluster Management for Kubernetes 2",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:amq_broker:7"
],
"defaultStatus": "affected",
"product": "Red Hat AMQ Broker 7",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:ansible_automation_platform:2"
],
"defaultStatus": "affected",
"product": "Red Hat Ansible Automation Platform 2",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:apache_camel_hawtio:4"
],
"defaultStatus": "affected",
"product": "Red Hat build of Apache Camel - HawtIO 4",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:apicurio_registry:3"
],
"defaultStatus": "affected",
"product": "Red Hat build of Apicurio Registry 3",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:podman_desktop:1"
],
"defaultStatus": "affected",
"product": "Red Hat Build of Podman Desktop",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:connectivity_link:1"
],
"defaultStatus": "affected",
"product": "Red Hat Connectivity Link 1",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:jboss_data_grid:8"
],
"defaultStatus": "affected",
"product": "Red Hat Data Grid 8",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhdh:1"
],
"defaultStatus": "affected",
"product": "Red Hat Developer Hub",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:discovery:2::el9"
],
"defaultStatus": "affected",
"product": "Red Hat Discovery 2",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:edge_manager:1"
],
"defaultStatus": "affected",
"product": "Red Hat Edge Manager 1",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux 10",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:9"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux 9",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux_ai:3"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AI (RHEL AI) 3",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift_ai"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift AI (RHOAI)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift:4"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Container Platform 4",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift_data_foundation:4"
],
"defaultStatus": "affected",
"product": "Red Hat Openshift Data Foundation 4",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift_devspaces:3"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Dev Spaces",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:container_native_virtualization:4"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Virtualization 4",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:quay:3"
],
"defaultStatus": "affected",
"product": "Red Hat Quay 3",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:satellite:6"
],
"defaultStatus": "affected",
"product": "Red Hat Satellite 6",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:ansible_portal:2"
],
"defaultStatus": "affected",
"product": "Self-service automation portal 2",
"vendor": "Red Hat"
}
],
"datePublic": "2026-06-29T13:22:44.674Z",
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in fast-uri. This vulnerability occurs because fast-uri fails to properly convert Unicode (Internationalized Domain Name - IDN) hostnames for HTTP-family URLs. This can lead to a situation where security policies, such as denylists or redirect validations, are bypassed when applications use fast-uri to enforce these policies before passing the URL to another parser. A remote attacker could exploit this to circumvent security controls and potentially access unauthorized resources or perform malicious redirects."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Important"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-551",
"description": "Incorrect Behavior Order: Authorization Before Parsing and Canonicalization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-02T12:05:00.483Z",
"orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
"shortName": "redhat-SADP"
},
"references": [
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2026-13676"
},
{
"name": "RHBZ#2494197",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2494197"
},
{
"tags": [
"x_sadp-csaf-vex"
],
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-13676.json"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-06-29T14:01:55.592Z",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2026-06-29T13:22:44.674Z",
"value": "Made public."
}
],
"title": "fast-uri: fast-uri: Security policy bypass due to improper Unicode hostname canonicalization",
"workarounds": [
{
"lang": "en",
"value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."
}
],
"x_adpType": "supplier",
"x_generator": {
"engine": "sadp-cli 1.0.0"
}
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"packageURL": "pkg:npm/fast-uri",
"product": "fast-uri",
"vendor": "fast-uri",
"versions": [
{
"lessThan": "4.0.1",
"status": "affected",
"version": "4.0.0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "4.0.1",
"versionType": "semver"
},
{
"lessThan": "3.1.3",
"status": "affected",
"version": "2.3.1",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "3.1.3",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "celinke97"
},
{
"lang": "en",
"type": "remediation developer",
"value": "UlisesGascon"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "fast-uri versions 2.3.1 through 3.1.2 and 4.0.0 fail to canonicalize Unicode (IDN) hostnames for HTTP-family URLs. The IDN conversion path calls a helper that does not exist on the global URL constructor, silently leaving the host in its original Unicode form while normalize() and equal() still return values that differ from a WHATWG-compatible URL parser. Applications that use fast-uri to enforce host-based policy (denylists, loopback filtering, redirect validation, outbound proxy routing) before passing the same URL to Node\u0027s URL or fetch can be bypassed when the two implementations resolve the same input to different hosts. Patches: upgrade to fast-uri 3.1.3 for the 3.x line or 4.0.1 for the 4.x line. Workarounds: enforce host policy using the same URL parser used for the actual request, or reject non-ASCII hosts before policy checks."
}
],
"value": "fast-uri versions 2.3.1 through 3.1.2 and 4.0.0 fail to canonicalize Unicode (IDN) hostnames for HTTP-family URLs. The IDN conversion path calls a helper that does not exist on the global URL constructor, silently leaving the host in its original Unicode form while normalize() and equal() still return values that differ from a WHATWG-compatible URL parser. Applications that use fast-uri to enforce host-based policy (denylists, loopback filtering, redirect validation, outbound proxy routing) before passing the same URL to Node\u0027s URL or fetch can be bypassed when the two implementations resolve the same input to different hosts. Patches: upgrade to fast-uri 3.1.3 for the 3.x line or 4.0.1 for the 4.x line. Workarounds: enforce host policy using the same URL parser used for the actual request, or reject non-ASCII hosts before policy checks."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-436",
"description": "CWE-436: Interpretation Conflict",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-29T13:22:44.674Z",
"orgId": "ce714d77-add3-4f53-aff5-83d477b104bb",
"shortName": "openjs"
},
"references": [
{
"url": "https://github.com/fastify/fast-uri/security/advisories/GHSA-4c8g-83qw-93j6"
},
{
"url": "https://cna.openjsf.org/security-advisories.html"
}
],
"title": "fast-uri vulnerable to host confusion via failed IDN canonicalization",
"x_generator": {
"engine": "cve-kit 1.0.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "ce714d77-add3-4f53-aff5-83d477b104bb",
"assignerShortName": "openjs",
"cveId": "CVE-2026-13676",
"datePublished": "2026-06-29T13:22:44.674Z",
"dateReserved": "2026-06-29T10:37:49.461Z",
"dateUpdated": "2026-07-02T12:05:00.483Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-14198 (GCVE-0-2026-14198)
Vulnerability from cvelistv5 – Published: 2026-07-01 11:29 – Updated: 2026-07-01 12:10- CWE-436 - Interpretation Conflict
| Vendor | Product | Version | |
|---|---|---|---|
| @fastify/middie | @fastify/middie |
Affected:
9.1.0 , < 9.3.3
(semver)
Unaffected: 9.3.3 (semver) |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-14198",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-01T12:09:11.989341Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-01T12:10:29.571Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"packageURL": "pkg:npm/@fastify/middie",
"product": "@fastify/middie",
"vendor": "@fastify/middie",
"versions": [
{
"lessThan": "9.3.3",
"status": "affected",
"version": "9.1.0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "9.3.3",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Jvr2022"
},
{
"lang": "en",
"type": "remediation developer",
"value": "mcollina"
},
{
"lang": "en",
"type": "remediation reviewer",
"value": "UlisesGascon"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "@fastify/middie versions 9.1.0 through 9.3.2 decode the encoded slash %2F inside path parameter values before matching middleware paths, while Fastify\u0027s underlying router preserves the encoding during route lookup. The two layers disagree on the canonical request path, so the middleware fails to match a URL that the route handler does match. When middleware is used for authentication, authorization, rate limiting, or auditing on parameterized paths, an attacker can reach the protected handler by sending a single crafted URL with an encoded slash in the parameter position. The bypass is HTTP method agnostic and requires no authentication or special preconditions. Patches: upgrade to @fastify/middie 9.3.3. Workarounds: avoid parameterized middleware paths for security decisions, or enforce authentication at the route handler or via a Fastify hook that runs after the router has resolved the request."
}
],
"value": "@fastify/middie versions 9.1.0 through 9.3.2 decode the encoded slash %2F inside path parameter values before matching middleware paths, while Fastify\u0027s underlying router preserves the encoding during route lookup. The two layers disagree on the canonical request path, so the middleware fails to match a URL that the route handler does match. When middleware is used for authentication, authorization, rate limiting, or auditing on parameterized paths, an attacker can reach the protected handler by sending a single crafted URL with an encoded slash in the parameter position. The bypass is HTTP method agnostic and requires no authentication or special preconditions. Patches: upgrade to @fastify/middie 9.3.3. Workarounds: avoid parameterized middleware paths for security decisions, or enforce authentication at the route handler or via a Fastify hook that runs after the router has resolved the request."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-436",
"description": "CWE-436: Interpretation Conflict",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-01T11:29:20.435Z",
"orgId": "ce714d77-add3-4f53-aff5-83d477b104bb",
"shortName": "openjs"
},
"references": [
{
"url": "https://github.com/fastify/middie/security/advisories/GHSA-2v46-jxjm-7q3v"
},
{
"url": "https://cna.openjsf.org/security-advisories.html"
}
],
"title": "@fastify/middie vulnerable to authorization bypass via encoded slash in path parameter values",
"x_generator": {
"engine": "cve-kit 1.0.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "ce714d77-add3-4f53-aff5-83d477b104bb",
"assignerShortName": "openjs",
"cveId": "CVE-2026-14198",
"datePublished": "2026-07-01T11:29:20.435Z",
"dateReserved": "2026-06-30T09:12:37.009Z",
"dateUpdated": "2026-07-01T12:10:29.571Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-25223 (GCVE-0-2026-25223)
Vulnerability from cvelistv5 – Published: 2026-02-03 21:21 – Updated: 2026-06-30 12:06| URL | Tags |
|---|---|
| https://github.com/fastify/fastify/security/advis… | x_refsource_CONFIRM |
| https://github.com/fastify/fastify/commit/32d7b6a… | x_refsource_MISC |
| https://hackerone.com/reports/3464114 | x_refsource_MISC |
| https://fastify.dev/docs/latest/Reference/Validat… | x_refsource_MISC |
| https://github.com/fastify/fastify/blob/759e9787b… | x_refsource_MISC |
| https://github.com/fastify/fastify/blob/759e9787b… | x_refsource_MISC |
| https://access.redhat.com/security/cve/CVE-2026-25223 | vdb-entryx_refsource_REDHAT |
| https://bugzilla.redhat.com/show_bug.cgi?id=2436560 | issue-trackingx_refsource_REDHAT |
| https://security.access.redhat.com/data/csaf/v2/v… | x_sadp-csaf-vex |
| https://access.redhat.com/errata/RHSA-2026:5807 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/errata/RHSA-2026:10184 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/errata/RHSA-2026:6192 | vendor-advisoryx_refsource_REDHAT |
| Vendor | Product | Version | |
|---|---|---|---|
| fastify | fastify |
Affected:
< 5.7.2
|
|
| Red Hat | Red Hat OpenShift AI 2.16 |
cpe:/a:redhat:openshift_ai:2.16::el8 |
|
| Red Hat | Red Hat OpenShift AI 2.25 |
cpe:/a:redhat:openshift_ai:2.25::el9 |
|
| Red Hat | Red Hat OpenShift Dev Spaces 3.27 |
cpe:/a:redhat:openshift_devspaces:3.27::el9 |
|
| Red Hat | Red Hat Enterprise Linux AI (RHEL AI) 3 |
cpe:/a:redhat:enterprise_linux_ai:3 |
|
| Red Hat | Red Hat OpenShift AI (RHOAI) |
cpe:/a:redhat:openshift_ai |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-25223",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-04T21:18:10.359742Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-04T21:18:16.693Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"affected": [
{
"cpes": [
"cpe:/a:redhat:openshift_ai:2.16::el8"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift AI 2.16",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift_ai:2.25::el9"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift AI 2.25",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift_devspaces:3.27::el9"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Dev Spaces 3.27",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux_ai:3"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AI (RHEL AI) 3",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift_ai"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift AI (RHOAI)",
"vendor": "Red Hat"
}
],
"datePublic": "2026-02-03T21:21:40.268Z",
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in Fastify, a web framework for Node.js. A remote attacker can exploit a validation bypass vulnerability by appending a tab character followed by arbitrary content to the Content-Type header. This circumvents the request body validation schemas, allowing the server to process the body as the original content type without proper validation. This could lead to unexpected data processing and potential integrity impact."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Important"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-179",
"description": "Incorrect Behavior Order: Early Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-30T12:06:34.883Z",
"orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
"shortName": "redhat-SADP"
},
"references": [
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2026-25223"
},
{
"name": "RHBZ#2436560",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2436560"
},
{
"tags": [
"x_sadp-csaf-vex"
],
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-25223.json"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:5807"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:10184"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:6192"
}
],
"solutions": [
{
"lang": "en",
"value": "RHSA-2026:5807: Red Hat OpenShift AI 2.16"
},
{
"lang": "en",
"value": "RHSA-2026:10184: Red Hat OpenShift AI 2.25"
},
{
"lang": "en",
"value": "RHSA-2026:6192: Red Hat OpenShift Dev Spaces 3.27"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-02-03T22:01:19.884Z",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2026-02-03T21:21:40.268Z",
"value": "Made public."
}
],
"title": "Fastify: Fastify: Validation bypass due to malformed Content-Type header leading to integrity impact",
"workarounds": [
{
"lang": "en",
"value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."
}
],
"x_adpType": "supplier",
"x_generator": {
"engine": "sadp-cli 1.0.0"
}
}
],
"cna": {
"affected": [
{
"product": "fastify",
"vendor": "fastify",
"versions": [
{
"status": "affected",
"version": "\u003c 5.7.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Fastify is a fast and low overhead web framework, for Node.js. Prior to version 5.7.2, a validation bypass vulnerability exists in Fastify where request body validation schemas specified by Content-Type can be completely circumvented. By appending a tab character (\\t) followed by arbitrary content to the Content-Type header, attackers can bypass body validation while the server still processes the body as the original content type. This issue has been patched in version 5.7.2."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-436",
"description": "CWE-436: Interpretation Conflict",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-03T21:21:40.268Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/fastify/fastify/security/advisories/GHSA-jx2c-rxcm-jvmq",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/fastify/fastify/security/advisories/GHSA-jx2c-rxcm-jvmq"
},
{
"name": "https://github.com/fastify/fastify/commit/32d7b6add39ddf082d92579a58bea7018c5ac821",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/fastify/fastify/commit/32d7b6add39ddf082d92579a58bea7018c5ac821"
},
{
"name": "https://hackerone.com/reports/3464114",
"tags": [
"x_refsource_MISC"
],
"url": "https://hackerone.com/reports/3464114"
},
{
"name": "https://fastify.dev/docs/latest/Reference/Validation-and-Serialization",
"tags": [
"x_refsource_MISC"
],
"url": "https://fastify.dev/docs/latest/Reference/Validation-and-Serialization"
},
{
"name": "https://github.com/fastify/fastify/blob/759e9787b5669abf953068e42a17bffba7521348/lib/content-type-parser.js#L125",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/fastify/fastify/blob/759e9787b5669abf953068e42a17bffba7521348/lib/content-type-parser.js#L125"
},
{
"name": "https://github.com/fastify/fastify/blob/759e9787b5669abf953068e42a17bffba7521348/lib/validation.js#L272",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/fastify/fastify/blob/759e9787b5669abf953068e42a17bffba7521348/lib/validation.js#L272"
}
],
"source": {
"advisory": "GHSA-jx2c-rxcm-jvmq",
"discovery": "UNKNOWN"
},
"title": "Fastify\u0027s Content-Type header tab character allows body validation bypass"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-25223",
"datePublished": "2026-02-03T21:21:40.268Z",
"dateReserved": "2026-01-30T14:44:47.327Z",
"dateUpdated": "2026-06-30T12:06:34.883Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-26961 (GCVE-0-2026-26961)
Vulnerability from cvelistv5 – Published: 2026-04-02 16:42 – Updated: 2026-04-03 17:58- CWE-436 - Interpretation Conflict
| URL | Tags |
|---|---|
| https://github.com/rack/rack/security/advisories/… | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-26961",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-03T17:57:50.290547Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-03T17:58:12.149Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "rack",
"vendor": "rack",
"versions": [
{
"status": "affected",
"version": "\u003c 2.2.23"
},
{
"status": "affected",
"version": "\u003e= 3.0.0.beta1, \u003c 3.1.21"
},
{
"status": "affected",
"version": "\u003e= 3.2.0, \u003c 3.2.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Multipart::Parser extracts the boundary parameter from multipart/form-data using a greedy regular expression. When a Content-Type header contains multiple boundary parameters, Rack selects the last one rather than the first. In deployments where an upstream proxy, WAF, or intermediary interprets the first boundary parameter, this mismatch can allow an attacker to smuggle multipart content past upstream inspection and have Rack parse a different body structure than the intermediary validated. This issue has been patched in versions 2.2.23, 3.1.21, and 3.2.6."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.7,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-436",
"description": "CWE-436: Interpretation Conflict",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-02T16:42:16.766Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/rack/rack/security/advisories/GHSA-vgpv-f759-9wx3",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/rack/rack/security/advisories/GHSA-vgpv-f759-9wx3"
}
],
"source": {
"advisory": "GHSA-vgpv-f759-9wx3",
"discovery": "UNKNOWN"
},
"title": "Rack: Multipart Boundary Parsing Ambiguity allowing WAF Bypass"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-26961",
"datePublished": "2026-04-02T16:42:16.766Z",
"dateReserved": "2026-02-16T22:20:28.611Z",
"dateUpdated": "2026-04-03T17:58:12.149Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-27444 (GCVE-0-2026-27444)
Vulnerability from cvelistv5 – Published: 2026-03-04 08:47 – Updated: 2026-03-04 19:28- CWE-436 - Interpretation Conflict
| URL | Tags |
|---|---|
| https://downloads.seppmail.com/extrelnotes/150/ER… | release-notes |
| Vendor | Product | Version | |
|---|---|---|---|
| SEPPmail | Secure Email Gateway |
Affected:
0 , < 15.0.1
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-27444",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-04T19:28:45.431055Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-04T19:28:55.122Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Secure Email Gateway",
"vendor": "SEPPmail",
"versions": [
{
"lessThan": "15.0.1",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:seppmail:seppmail_secure_email_gateway:*:*:*:*:*:*:*:*",
"versionEndExcluding": "15.0.1",
"versionStartIncluding": "0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Andris Suter-D\u00f6rig"
},
{
"lang": "en",
"type": "coordinator",
"value": "Matteo Scarlata"
},
{
"lang": "en",
"type": "coordinator",
"value": "Kenny Paterson"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "SEPPmail Secure Email Gateway before version 15.0.1 incorrectly interprets email addresses in the email headers, causing an interpretation conflict with other mail infrastructure that allows an attacker to fake the source of the email or decrypt it."
}
],
"value": "SEPPmail Secure Email Gateway before version 15.0.1 incorrectly interprets email addresses in the email headers, causing an interpretation conflict with other mail infrastructure that allows an attacker to fake the source of the email or decrypt it."
}
],
"impacts": [
{
"capecId": "CAPEC-194",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-194 Fake the Source of Data"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:L/SI:H/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-436",
"description": "CWE-436 Interpretation Conflict",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-04T08:47:05.758Z",
"orgId": "455daabc-a392-441d-aa46-37d35189897c",
"shortName": "NCSC.ch"
},
"references": [
{
"tags": [
"release-notes"
],
"url": "https://downloads.seppmail.com/extrelnotes/150/ERN15.0.html#seppmail-vulnerability-disclosure"
}
],
"source": {
"discovery": "EXTERNAL"
},
"timeline": [
{
"lang": "en",
"time": "2025-10-31T14:22:00.000Z",
"value": "Vulnerability disclosed to SEPPmail"
},
{
"lang": "en",
"time": "2026-01-06T00:00:00.000Z",
"value": "Version 15.0.1 released"
}
],
"title": "Header Email Address Parsing",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "455daabc-a392-441d-aa46-37d35189897c",
"assignerShortName": "NCSC.ch",
"cveId": "CVE-2026-27444",
"datePublished": "2026-03-04T08:47:05.758Z",
"dateReserved": "2026-02-19T13:56:28.869Z",
"dateUpdated": "2026-03-04T19:28:55.122Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-27896 (GCVE-0-2026-27896)
Vulnerability from cvelistv5 – Published: 2026-02-26 00:47 – Updated: 2026-06-30 12:08| URL | Tags |
|---|---|
| https://github.com/modelcontextprotocol/go-sdk/se… | x_refsource_CONFIRM |
| https://github.com/modelcontextprotocol/go-sdk/co… | x_refsource_MISC |
| https://access.redhat.com/security/cve/CVE-2026-27896 | vdb-entryx_refsource_REDHAT |
| https://bugzilla.redhat.com/show_bug.cgi?id=2442903 | issue-trackingx_refsource_REDHAT |
| https://security.access.redhat.com/data/csaf/v2/v… | x_sadp-csaf-vex |
| Vendor | Product | Version | |
|---|---|---|---|
| modelcontextprotocol | go-sdk |
Affected:
< 1.3.1
|
|
| Red Hat | Migration Toolkit for Virtualization |
cpe:/a:redhat:migration_toolkit_virtualization:2 |
|
| Red Hat | OpenShift Lightspeed |
cpe:/a:redhat:openshift_lightspeed |
|
| Red Hat | OpenShift Serverless |
cpe:/a:redhat:serverless:1 |
|
| Red Hat | Red Hat OpenShift AI (RHOAI) |
cpe:/a:redhat:openshift_ai |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-27896",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-26T17:06:14.973622Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-26T17:06:41.150Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"affected": [
{
"cpes": [
"cpe:/a:redhat:migration_toolkit_virtualization:2"
],
"defaultStatus": "affected",
"product": "Migration Toolkit for Virtualization",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift_lightspeed"
],
"defaultStatus": "affected",
"product": "OpenShift Lightspeed",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:serverless:1"
],
"defaultStatus": "affected",
"product": "OpenShift Serverless",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift_ai"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift AI (RHOAI)",
"vendor": "Red Hat"
}
],
"datePublic": "2026-02-26T00:47:46.967Z",
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in the Go MCP SDK. This issue occurs due to an improper handling of case sensitivity during JSON-RPC message parsing, specifically in the matching of JSON keys to struct field tags. This behavior violates the JSON-RPC 2.0 specification, which explicitly requires case-sensitive field name matching. A malicious MCP peer able to send protocol messages with non-standard field casing can potentially bypass intermediary inspection, allowing attackers to smuggle payloads past upstream filters and cause cross-implementation inconsistency."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Important"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-178",
"description": "Improper Handling of Case Sensitivity",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-30T12:08:02.756Z",
"orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
"shortName": "redhat-SADP"
},
"references": [
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2026-27896"
},
{
"name": "RHBZ#2442903",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2442903"
},
{
"tags": [
"x_sadp-csaf-vex"
],
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-27896.json"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-02-26T01:01:38.878Z",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2026-02-26T00:47:46.967Z",
"value": "Made public."
}
],
"title": "modelcontextprotocol/go-sdk: improper handling of case sensitivity",
"workarounds": [
{
"lang": "en",
"value": "To mitigate this flaw, strictly enforce JSON-RPC case sensitivity before payload processing or harden upstream WAF and proxy rules to explicitly block improperly cased requests at the network edge."
}
],
"x_adpType": "supplier",
"x_generator": {
"engine": "sadp-cli 1.0.0"
}
}
],
"cna": {
"affected": [
{
"product": "go-sdk",
"vendor": "modelcontextprotocol",
"versions": [
{
"status": "affected",
"version": "\u003c 1.3.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The Go MCP SDK used Go\u0027s standard encoding/json.Unmarshal for JSON-RPC and MCP protocol message parsing in versions prior to 1.3.1. Go\u0027s standard library performs case-insensitive matching of JSON keys to struct field tags \u2014 a field tagged json:\"method\" would also match \"Method\", \"METHOD\", etc. This violated the JSON-RPC 2.0 specification, which defines exact field names. A malicious MCP peer may have been able to send protocol messages with non-standard field casing that the SDK would silently accept. This had the potential for bypassing intermediary inspection and coss-implementation inconsistency. Go\u0027s standard JSON unmarshaling was replaced with a case-sensitive decoder in commit 7b8d81c. Users are advised to update to v1.3.1 to resolve this issue."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 7,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-178",
"description": "CWE-178: Improper Handling of Case Sensitivity",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-436",
"description": "CWE-436: Interpretation Conflict",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-26T00:47:46.967Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/modelcontextprotocol/go-sdk/security/advisories/GHSA-wvj2-96wp-fq3f",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/modelcontextprotocol/go-sdk/security/advisories/GHSA-wvj2-96wp-fq3f"
},
{
"name": "https://github.com/modelcontextprotocol/go-sdk/commit/7b8d81c264074404abdf5aa16e2cf0c2d9c64cc0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/modelcontextprotocol/go-sdk/commit/7b8d81c264074404abdf5aa16e2cf0c2d9c64cc0"
}
],
"source": {
"advisory": "GHSA-wvj2-96wp-fq3f",
"discovery": "UNKNOWN"
},
"title": "MCP Go SDK Vulnerable to Improper Handling of Case Sensitivity"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-27896",
"datePublished": "2026-02-26T00:47:46.967Z",
"dateReserved": "2026-02-24T15:19:29.717Z",
"dateUpdated": "2026-06-30T12:08:02.756Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-30246 (GCVE-0-2026-30246)
Vulnerability from cvelistv5 – Published: 2026-05-05 12:40 – Updated: 2026-05-05 15:04- CWE-436 - Interpretation Conflict
| URL | Tags |
|---|---|
| https://github.com/gofiber/fiber/security/advisor… | x_refsource_CONFIRM |
| https://github.com/gofiber/fiber/blob/main/middle… | x_refsource_MISC |
| https://github.com/gofiber/fiber/blob/main/middle… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-30246",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-05T15:03:58.218760Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-05T15:04:02.984Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/gofiber/fiber/security/advisories/GHSA-35hp-hqmv-8qg8"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "fiber",
"vendor": "gofiber",
"versions": [
{
"status": "affected",
"version": "\u003e= v3.0.0-beta.2, \u003c 3.1.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Fiber is a web framework for Go. In github.com/gofiber/fiber/v3 versions through 3.1.0, the default key generator in the cache middleware uses only the request path and does not include the query string. As a result, requests for the same path with different query parameters can share a cache key and receive the wrong cached response. This can cause response mix-up for query-dependent endpoints and may expose data intended for a different request. This issue is fixed after version 3.1.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-436",
"description": "CWE-436: Interpretation Conflict",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-05T12:40:19.813Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/gofiber/fiber/security/advisories/GHSA-35hp-hqmv-8qg8",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/gofiber/fiber/security/advisories/GHSA-35hp-hqmv-8qg8"
},
{
"name": "https://github.com/gofiber/fiber/blob/main/middleware/cache/cache_test.go#L599-L621",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gofiber/fiber/blob/main/middleware/cache/cache_test.go#L599-L621"
},
{
"name": "https://github.com/gofiber/fiber/blob/main/middleware/cache/config.go#L90-L92",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gofiber/fiber/blob/main/middleware/cache/config.go#L90-L92"
}
],
"source": {
"advisory": "GHSA-35hp-hqmv-8qg8",
"discovery": "UNKNOWN"
},
"title": "github.com/gofiber/fiber/v3 cache middleware can mix responses across query parameters"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-30246",
"datePublished": "2026-05-05T12:40:19.813Z",
"dateReserved": "2026-03-04T17:23:59.799Z",
"dateUpdated": "2026-05-05T15:04:02.984Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-32052 (GCVE-0-2026-32052)
Vulnerability from cvelistv5 – Published: 2026-03-21 00:42 – Updated: 2026-06-23 16:15 X_Open Source- CWE-436 - Interpretation Conflict
| URL | Tags |
|---|---|
| https://github.com/openclaw/openclaw/security/adv… | vendor-advisory |
| https://github.com/openclaw/openclaw/commit/0f0a6… | patch |
| https://github.com/openclaw/openclaw/commit/55cf9… | patch |
| https://www.vulncheck.com/advisories/openclaw-hid… | third-party-advisory |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-32052",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-23T16:44:19.432124Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-23T16:44:28.150Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"packageURL": "pkg:npm/openclaw",
"product": "OpenClaw",
"vendor": "OpenClaw",
"versions": [
{
"lessThan": "2026.2.24",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "2026.2.24",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"versionEndExcluding": "2026.2.24",
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "tdjackey"
}
],
"datePublic": "2026-02-25T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "OpenClaw versions prior to 2026.2.24 contain a command injection vulnerability in the system.run shell-wrapper that allows attackers to execute hidden commands by injecting positional argv carriers after inline shell payloads. Attackers can craft misleading approval text while executing arbitrary commands through trailing positional arguments that bypass display context validation."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "HIGH",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.8,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:A/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-436",
"description": "Interpretation Conflict",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-23T16:15:01.311Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"name": "GitHub Security Advisory (GHSA-6rcp-vxwf-3mfp)",
"tags": [
"vendor-advisory"
],
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-6rcp-vxwf-3mfp"
},
{
"name": "Patch Commit #1",
"tags": [
"patch"
],
"url": "https://github.com/openclaw/openclaw/commit/0f0a680d3df81739ea5088a2f88e65f938b7936b"
},
{
"name": "Patch Commit #2",
"tags": [
"patch"
],
"url": "https://github.com/openclaw/openclaw/commit/55cf92578d266987e390c4bf688196af98eac748"
},
{
"name": "VulnCheck Advisory: OpenClaw \u003c 2026.2.24 - Hidden Command Execution via Shell-Wrapper Positional argv Carriers",
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/openclaw-hidden-command-execution-via-shell-wrapper-positional-argv-carriers"
}
],
"tags": [
"x_open-source"
],
"title": "OpenClaw \u003c 2026.2.24 - Hidden Command Execution via Shell-Wrapper Positional argv Carriers",
"x_generator": {
"engine": "vulncheck"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2026-32052",
"datePublished": "2026-03-21T00:42:24.234Z",
"dateReserved": "2026-03-10T19:48:47.515Z",
"dateUpdated": "2026-06-23T16:15:01.311Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-32065 (GCVE-0-2026-32065)
Vulnerability from cvelistv5 – Published: 2026-03-21 00:42 – Updated: 2026-06-23 16:15 X_Open Source- CWE-436 - Interpretation Conflict
| URL | Tags |
|---|---|
| https://github.com/openclaw/openclaw/security/adv… | vendor-advisory |
| https://github.com/openclaw/openclaw/commit/03e68… | patch |
| https://www.vulncheck.com/advisories/openclaw-app… | third-party-advisory |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-32065",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-21T03:38:03.122634Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-21T03:38:13.744Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"packageURL": "pkg:npm/openclaw",
"product": "OpenClaw",
"vendor": "OpenClaw",
"versions": [
{
"lessThan": "2026.2.25",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "2026.2.25",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"versionEndExcluding": "2026.2.25",
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "tdjackey"
}
],
"datePublic": "2026-02-26T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "OpenClaw versions prior to 2026.2.25 contain an approval-integrity bypass vulnerability in system.run where rendered command text is used as approval identity while trimming argv token whitespace, but runtime execution uses raw argv. An attacker can craft a trailing-space executable token to execute a different binary than what the approver displayed, allowing unexpected command execution under the OpenClaw runtime user when they can influence command argv and reuse an approval context."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "HIGH",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 5.7,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-436",
"description": "Interpretation Conflict",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-23T16:15:07.613Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"name": "GitHub Security Advisory (GHSA-hwpq-rrpf-pgcq)",
"tags": [
"vendor-advisory"
],
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-hwpq-rrpf-pgcq"
},
{
"name": "Patch Commit",
"tags": [
"patch"
],
"url": "https://github.com/openclaw/openclaw/commit/03e689fc89bbecbcd02876a95957ef1ad9caa176"
},
{
"name": "VulnCheck Advisory: OpenClaw \u003c 2026.2.25 - Approval Identity Mismatch in system.run Command Execution",
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/openclaw-approval-identity-mismatch-in-system-run-command-execution"
}
],
"tags": [
"x_open-source"
],
"title": "OpenClaw \u003c 2026.2.25 - Approval Identity Mismatch in system.run Command Execution",
"x_generator": {
"engine": "vulncheck"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2026-32065",
"datePublished": "2026-03-21T00:42:30.045Z",
"dateReserved": "2026-03-10T19:52:08.741Z",
"dateUpdated": "2026-06-23T16:15:07.613Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
No mitigation information available for this CWE.
CAPEC-105: HTTP Request Splitting
['An adversary abuses the flexibility and discrepancies in the parsing and interpretation of HTTP Request messages by different intermediary HTTP agents (e.g., load balancer, reverse proxy, web caching proxies, application firewalls, etc.) to split a single HTTP request into multiple unauthorized and malicious HTTP requests to a back-end HTTP agent (e.g., web server).', 'See CanPrecede relationships for possible consequences.']
CAPEC-273: HTTP Response Smuggling
['An adversary manipulates and injects malicious content in the form of secret unauthorized HTTP responses, into a single HTTP response from a vulnerable or compromised back-end HTTP agent (e.g., server).', 'See CanPrecede relationships for possible consequences.']
CAPEC-34: HTTP Response Splitting
['An adversary manipulates and injects malicious content, in the form of secret unauthorized HTTP responses, into a single HTTP response from a vulnerable or compromised back-end HTTP agent (e.g., web server) or into an already spoofed HTTP response from an adversary controlled domain/site.', 'See CanPrecede relationships for possible consequences.']