CWE-184
AllowedIncomplete List of Disallowed Inputs
Abstraction: Base · Status: Draft
The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are not allowed by policy or otherwise require other action to neutralize before additional processing takes place, but the list is incomplete.
306 vulnerabilities reference this CWE, most recent first.
GHSA-CCWH-WWPP-6WG5
Vulnerability from github – Published: 2026-06-18 13:02 – Updated: 2026-06-18 13:02Summary
Host environment sanitizer missed two Node.js control variables. In affected versions, a lower-trust env source such as a workspace .env, tool env override, or skill env block could pass Node.js control variables through the shared sanitizer.
This advisory is scoped to the named feature and configuration. It does not change OpenClaw's trusted-operator model: authenticated Gateway operators, installed plugins, and intentional local execution surfaces remain trusted unless a separate policy, approval, allowlist, sandbox, or auth boundary is crossed.
Impact
When the affected feature is enabled and reachable, this could influence a later Node.js child process or coverage output path when that process is launched under the accepted environment. Practical impact depends on the operator's configuration and whether lower-trust input can reach that path.
Patched Versions
The first stable patched version is 2026.5.26.
Mitigations
avoid inheriting workspace or tool-supplied env values from untrusted repositories until patched. As general hardening, keep channel and tool allowlists narrow, avoid sharing one Gateway between mutually untrusted users, and disable the affected feature when it is not needed.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2026.5.22"
},
"package": {
"ecosystem": "npm",
"name": "openclaw"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2026.5.26"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-53864"
],
"database_specific": {
"cwe_ids": [
"CWE-184"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-18T13:02:49Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "### Summary\n\nHost environment sanitizer missed two Node.js control variables. In affected versions, a lower-trust env source such as a workspace `.env`, tool env override, or skill env block could pass Node.js control variables through the shared sanitizer.\n\nThis advisory is scoped to the named feature and configuration. It does not change OpenClaw\u0027s trusted-operator model: authenticated Gateway operators, installed plugins, and intentional local execution surfaces remain trusted unless a separate policy, approval, allowlist, sandbox, or auth boundary is crossed.\n\n### Impact\n\nWhen the affected feature is enabled and reachable, this could influence a later Node.js child process or coverage output path when that process is launched under the accepted environment. Practical impact depends on the operator\u0027s configuration and whether lower-trust input can reach that path.\n\n### Patched Versions\n\nThe first stable patched version is `2026.5.26`.\n\n### Mitigations\n\navoid inheriting workspace or tool-supplied env values from untrusted repositories until patched. As general hardening, keep channel and tool allowlists narrow, avoid sharing one Gateway between mutually untrusted users, and disable the affected feature when it is not needed.",
"id": "GHSA-ccwh-wwpp-6wg5",
"modified": "2026-06-18T13:02:49Z",
"published": "2026-06-18T13:02:49Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-ccwh-wwpp-6wg5"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-53864"
},
{
"type": "PACKAGE",
"url": "https://github.com/openclaw/openclaw"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/openclaw-insufficient-environment-variable-sanitization-in-node-js-control-variables"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "OpenClaw: Host environment sanitizer missed two Node.js control variables"
}
GHSA-CF45-HXWJ-4CFJ
Vulnerability from github – Published: 2026-04-04 06:09 – Updated: 2026-04-07 14:19Summary
An open redirect vulnerability exists in the login redirection logic. The isLoginRedirectAllowed function fails to correctly identify certain malformed URLs as external, allowing attackers to bypass redirect allow-list validation and redirect users to arbitrary external domains upon successful authentication.
Details
A parser differential exists between the server-side URL validation logic and how modern browsers interpret URL path segments containing backslashes. Specifically, certain URL patterns are incorrectly classified as safe relative paths by the server, but are normalized by browsers into external domain references.
This is particularly impactful in SSO authentication flows (e.g., OAuth2 providers), where an attacker can craft a login URL that redirects the victim to an attacker-controlled site immediately after successful authentication, without any visible indication during the login process.
Impact
- Phishing: Users may be silently redirected to attacker-controlled sites impersonating legitimate services after authenticating.
- Credential/token theft: The redirect can be chained to capture OAuth tokens or authorization codes.
- Trust erosion: Users lose confidence in the application after being redirected to unexpected domains post-login.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "directus"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "11.16.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-35410"
],
"database_specific": {
"cwe_ids": [
"CWE-184",
"CWE-20",
"CWE-601"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-04T06:09:55Z",
"nvd_published_at": "2026-04-06T22:16:22Z",
"severity": "MODERATE"
},
"details": "### Summary\n\nAn open redirect vulnerability exists in the login redirection logic. The `isLoginRedirectAllowed` function fails to correctly identify certain malformed URLs as external, allowing attackers to bypass redirect allow-list validation and redirect users to arbitrary external domains upon successful authentication.\n\n### Details\n\nA parser differential exists between the server-side URL validation logic and how modern browsers interpret URL path segments containing backslashes. Specifically, certain URL patterns are incorrectly classified as safe relative paths by the server, but are normalized by browsers into external domain references.\n\nThis is particularly impactful in SSO authentication flows (e.g., OAuth2 providers), where an attacker can craft a login URL that redirects the victim to an attacker-controlled site immediately after successful authentication, without any visible indication during the login process.\n\n### Impact\n\n- **Phishing:** Users may be silently redirected to attacker-controlled sites impersonating legitimate services after authenticating.\n- **Credential/token theft:** The redirect can be chained to capture OAuth tokens or authorization codes.\n- **Trust erosion:** Users lose confidence in the application after being redirected to unexpected domains post-login.",
"id": "GHSA-cf45-hxwj-4cfj",
"modified": "2026-04-07T14:19:59Z",
"published": "2026-04-04T06:09:55Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/directus/directus/security/advisories/GHSA-cf45-hxwj-4cfj"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35410"
},
{
"type": "PACKAGE",
"url": "https://github.com/directus/directus"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Directus: Open Redirect via Parser Bypass in OAuth2/SAML Authentication Flow"
}
GHSA-CG7Q-FG22-4G98
Vulnerability from github – Published: 2026-04-03 03:07 – Updated: 2026-05-06 19:12Summary
Host exec environment sanitization misses package, registry, Docker, compiler, and TLS override variables
Current Maintainer Triage
- Normalized severity: medium
- Assessment: v2026.3.28 also misses the broader package, registry, compiler, Docker, and TLS env family in the shipped host-env policy, and the unreleased main fix means this is a real medium-severity open issue.
Affected Packages / Versions
- Package:
openclaw(npm) - Latest published npm version:
2026.3.31 - Vulnerable version range:
<=2026.3.28 - Patched versions:
>= 2026.3.31 - First stable tag containing the fix:
v2026.3.31
Fix Commit(s)
eb8de6715f02949c21c4e895fffc8a6dcb00975c— 2026-03-31T19:37:43+09:00
OpenClaw thanks @tdjackey for reporting.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2026.3.28"
},
"package": {
"ecosystem": "npm",
"name": "openclaw"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2026.3.31"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-41369"
],
"database_specific": {
"cwe_ids": [
"CWE-184",
"CWE-668"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-03T03:07:13Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "## Summary\nHost exec environment sanitization misses package, registry, Docker, compiler, and TLS override variables\n\n## Current Maintainer Triage\n- Normalized severity: medium\n- Assessment: v2026.3.28 also misses the broader package, registry, compiler, Docker, and TLS env family in the shipped host-env policy, and the unreleased main fix means this is a real medium-severity open issue.\n\n## Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Latest published npm version: `2026.3.31`\n- Vulnerable version range: `\u003c=2026.3.28`\n- Patched versions: `\u003e= 2026.3.31`\n- First stable tag containing the fix: `v2026.3.31`\n\n## Fix Commit(s)\n- `eb8de6715f02949c21c4e895fffc8a6dcb00975c` \u2014 2026-03-31T19:37:43+09:00\n\nOpenClaw thanks @tdjackey for reporting.",
"id": "GHSA-cg7q-fg22-4g98",
"modified": "2026-05-06T19:12:01Z",
"published": "2026-04-03T03:07:13Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-cg7q-fg22-4g98"
},
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/commit/eb8de6715f02949c21c4e895fffc8a6dcb00975c"
},
{
"type": "PACKAGE",
"url": "https://github.com/openclaw/openclaw"
},
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/releases/tag/v2026.3.31"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/openclaw-insufficient-environment-variable-sanitization-in-host-execution"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "OpenClaw: Host exec environment sanitization misses package, registry, Docker, compiler, and TLS override variables"
}
GHSA-CGGJ-FVV3-CQWV
Vulnerability from github – Published: 2018-10-16 17:45 – Updated: 2024-03-15 01:08FasterXML jackson-databind before before 2.6.7.5, 2.7.x before 2.7.9.3, 2.8.x before 2.8.11.1, and 2.9.x before 2.9.5 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 libraries are available in the classpath.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2.8.11.0"
},
"package": {
"ecosystem": "Maven",
"name": "com.fasterxml.jackson.core:jackson-databind"
},
"ranges": [
{
"events": [
{
"introduced": "2.8.0"
},
{
"fixed": "2.8.11.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "com.fasterxml.jackson.core:jackson-databind"
},
"ranges": [
{
"events": [
{
"introduced": "2.9.0"
},
{
"fixed": "2.9.5"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "com.fasterxml.jackson.core:jackson-databind"
},
"ranges": [
{
"events": [
{
"introduced": "2.7.0"
},
{
"fixed": "2.7.9.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "com.fasterxml.jackson.core:jackson-databind"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.6.7.5"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2018-7489"
],
"database_specific": {
"cwe_ids": [
"CWE-184",
"CWE-502"
],
"github_reviewed": true,
"github_reviewed_at": "2020-06-16T21:31:30Z",
"nvd_published_at": "2018-02-26T15:29:00Z",
"severity": "CRITICAL"
},
"details": "FasterXML jackson-databind before before 2.6.7.5, 2.7.x before 2.7.9.3, 2.8.x before 2.8.11.1, and 2.9.x before 2.9.5 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 libraries are available in the classpath.",
"id": "GHSA-cggj-fvv3-cqwv",
"modified": "2024-03-15T01:08:04Z",
"published": "2018-10-16T17:45:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-7489"
},
{
"type": "WEB",
"url": "https://github.com/FasterXML/jackson-databind/issues/1931"
},
{
"type": "WEB",
"url": "https://github.com/FasterXML/jackson-databind/commit/e66c0a9d3c926ff1b63bf586c824ead1d02f2a3d"
},
{
"type": "WEB",
"url": "https://github.com/FasterXML/jackson-databind/commit/ca2bfc86af82a1479112004b663ba74c760752e6"
},
{
"type": "WEB",
"url": "https://github.com/FasterXML/jackson-databind/commit/c921f0935d5e41bf206e702d8077a275ba1a6efc"
},
{
"type": "WEB",
"url": "https://github.com/FasterXML/jackson-databind/commit/6799f8f10cc78e9af6d443ed6982d00a13f2e7d2"
},
{
"type": "WEB",
"url": "https://github.com/FasterXML/jackson-databind/commit/bc22f90eb7f896ace9567598a99cb1ff6e0f9d9d"
},
{
"type": "WEB",
"url": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html"
},
{
"type": "WEB",
"url": "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html"
},
{
"type": "WEB",
"url": "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpuoct2020.html"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2018/dsa-4190"
},
{
"type": "WEB",
"url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbhf03902en_us"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20180328-0001"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r1d4a247329a8478073163567bbc8c8cb6b49c6bfc2bf58153a857af1@%3Ccommits.druid.apache.org%3E"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-cggj-fvv3-cqwv"
},
{
"type": "PACKAGE",
"url": "https://github.com/FasterXML/jackson-databind"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2019:3149"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2019:2858"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2018:2939"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2018:2938"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2018:2090"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2018:2089"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2018:2088"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2018:1786"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2018:1451"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2018:1450"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2018:1449"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2018:1448"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2018:1447"
},
{
"type": "WEB",
"url": "http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html"
},
{
"type": "WEB",
"url": "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html"
},
{
"type": "WEB",
"url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "FasterXML jackson-databind allows unauthenticated remote code execution "
}
GHSA-CM8V-2VH9-CXF3
Vulnerability from github – Published: 2026-04-09 20:28 – Updated: 2026-05-06 02:40Impact
GIT_DIR and related git plumbing env vars missing from exec env denylist (GHSA-m866-6qv5-p2fg variant).
Git plumbing environment variables were not removed before host exec and could redirect Git operations.
OpenClaw is a user-controlled local assistant. This advisory is scoped to the OpenClaw trust model and does not assume a multi-tenant service boundary.
Affected Packages / Versions
- Package:
openclaw(npm) - Affected versions:
<=2026.3.30 - Patched versions:
2026.4.8
Fix
The issue was fixed on main and is available in the patched npm version listed above. The verified fixed tree is commit d7c3210cd6f5fdfdc1beff4c9541673e814354d5.
Verification
The fix was re-checked against main before publication, including targeted regression tests for the affected security boundary.
Credits
Thanks @boy-hack of Tencent zhuque Lab (https://github.com/Tencent/AI-Infra-Guard) for reporting.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "openclaw"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2026.4.8"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-41915"
],
"database_specific": {
"cwe_ids": [
"CWE-184",
"CWE-78"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-09T20:28:32Z",
"nvd_published_at": "2026-04-28T19:37:45Z",
"severity": "LOW"
},
"details": "## Impact\n\nGIT_DIR and related git plumbing env vars missing from exec env denylist (GHSA-m866-6qv5-p2fg variant).\n\nGit plumbing environment variables were not removed before host exec and could redirect Git operations.\n\nOpenClaw is a user-controlled local assistant. This advisory is scoped to the OpenClaw trust model and does not assume a multi-tenant service boundary.\n\n## Affected Packages / Versions\n\n- Package: `openclaw` (npm)\n- Affected versions: `\u003c=2026.3.30`\n- Patched versions: `2026.4.8`\n\n## Fix\n\nThe issue was fixed on `main` and is available in the patched npm version listed above. The verified fixed tree is commit `d7c3210cd6f5fdfdc1beff4c9541673e814354d5`.\n\n## Verification\n\nThe fix was re-checked against `main` before publication, including targeted regression tests for the affected security boundary.\n\n## Credits\n\nThanks @boy-hack of Tencent zhuque Lab (https://github.com/Tencent/AI-Infra-Guard) for reporting.",
"id": "GHSA-cm8v-2vh9-cxf3",
"modified": "2026-05-06T02:40:57Z",
"published": "2026-04-09T20:28:32Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-cm8v-2vh9-cxf3"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41915"
},
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/commit/d7c3210cd6f5fdfdc1beff4c9541673e814354d5"
},
{
"type": "PACKAGE",
"url": "https://github.com/openclaw/openclaw"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/openclaw-git-environment-variable-injection-via-unfiltered-exec-environment"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "OpenClaw: GIT_DIR and related git plumbing env vars missing from exec env denylist (GHSA-m866-6qv5-p2fg variant)"
}
GHSA-CQ2G-PW6Q-HF7J
Vulnerability from github – Published: 2022-12-19 21:09 – Updated: 2023-10-02 11:04Impact
A local file inclusion vulnerability exists in Cortex versions v1.13.0, v1.13.1 and v1.14.0, where a malicious actor could remotely read local files as a result of parsing maliciously crafted Alertmanager configurations when submitted to the Alertmanager Set Configuration API. Only users of the Cortex Alertmanager service using -experimental.alertmanager.enable-api or enable_api: true are affected.
Specific Go Packages Affected
github.com/cortexproject/cortex/pkg/alertmanager
Patches
Affected Cortex users are advised to upgrade to versions 1.13.2 or 1.14.1.
Workarounds
Patching is ultimately advised. Using out-of-bound validation, Cortex administrators may reject Alertmanager configurations containing the api_key_file setting in the opsgenie_configs section and opsgenie_api_key_file in the global section before sending to the Set Alertmanager Configuration API as a workaround.
References
- Fixed Versions:
- https://github.com/cortexproject/cortex/releases/tag/v1.14.1
- https://github.com/cortexproject/cortex/releases/tag/v1.13.2
- https://cortexmetrics.io/docs/api/#set-alertmanager-configuration
For more information
If you have any questions or comments about this advisory:
- Open an issue in cortex
- Email us at cortex-team@googlegroups.com.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/cortexproject/cortex"
},
"ranges": [
{
"events": [
{
"introduced": "1.14.0"
},
{
"fixed": "1.14.1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1.14.0"
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/cortexproject/cortex"
},
"ranges": [
{
"events": [
{
"introduced": "1.13.0"
},
{
"fixed": "1.13.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-23536"
],
"database_specific": {
"cwe_ids": [
"CWE-184",
"CWE-641",
"CWE-73"
],
"github_reviewed": true,
"github_reviewed_at": "2022-12-19T21:09:05Z",
"nvd_published_at": "2022-12-19T22:15:00Z",
"severity": "MODERATE"
},
"details": "### Impact\n\nA local file inclusion vulnerability exists in Cortex versions v1.13.0, v1.13.1 and v1.14.0, where a malicious actor could remotely read local files as a result of parsing maliciously crafted Alertmanager configurations when submitted to the [Alertmanager Set Configuration API](https://cortexmetrics.io/docs/api/#set-alertmanager-configuration). Only users of the Cortex Alertmanager service using `-experimental.alertmanager.enable-api` or `enable_api: true` are affected.\n\n### Specific Go Packages Affected\ngithub.com/cortexproject/cortex/pkg/alertmanager\n\n### Patches\nAffected Cortex users are advised to upgrade to versions 1.13.2 or 1.14.1.\n\n### Workarounds\nPatching is ultimately advised. Using out-of-bound validation, Cortex administrators may reject Alertmanager configurations containing the `api_key_file` setting in the `opsgenie_configs` section and `opsgenie_api_key_file` in the `global` section before sending to the [Set Alertmanager Configuration API](https://cortexmetrics.io/docs/api/#set-alertmanager-configuration) as a workaround.\n\n### References\n- Fixed Versions:\n - https://github.com/cortexproject/cortex/releases/tag/v1.14.1\n - https://github.com/cortexproject/cortex/releases/tag/v1.13.2\n- https://cortexmetrics.io/docs/api/#set-alertmanager-configuration\n\n### For more information\nIf you have any questions or comments about this advisory:\n\n* Open an issue in [cortex](https://github.com/cortexproject/cortex/issues/new/choose)\n* Email us at [cortex-team@googlegroups.com](mailto:cortex-team@googlegroups.com).\n",
"id": "GHSA-cq2g-pw6q-hf7j",
"modified": "2023-10-02T11:04:41Z",
"published": "2022-12-19T21:09:05Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/cortexproject/cortex/security/advisories/GHSA-cq2g-pw6q-hf7j"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23536"
},
{
"type": "WEB",
"url": "https://github.com/cortexproject/cortex/commit/03e023d8b012887b31cc268d0d011b01e1e65506"
},
{
"type": "WEB",
"url": "https://cortexmetrics.io/docs/api/#set-alertmanager-configuration"
},
{
"type": "PACKAGE",
"url": "https://github.com/cortexproject/cortex"
},
{
"type": "WEB",
"url": "https://github.com/cortexproject/cortex/releases/tag/v1.13.2"
},
{
"type": "WEB",
"url": "https://github.com/cortexproject/cortex/releases/tag/v1.14.1"
},
{
"type": "WEB",
"url": "https://pkg.go.dev/vuln/GO-2022-1175"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Cortex\u0027s Alertmanager can expose local files content via specially crafted config"
}
GHSA-CV2W-Q8C3-XJV7
Vulnerability from github – Published: 2022-05-24 19:19 – Updated: 2023-12-18 11:30Agents are allowed some limited access to files on the Jenkins controller file system. The directories agents are allowed to access in Jenkins 2.318 and earlier, LTS 2.303.2 and earlier include the directories storing build-related information, intended to allow agents to store build-related metadata during build execution. As a consequence, this allows any agent to read and write the contents of any build directory stored in Jenkins with very few restrictions (build.xml and some Pipeline-related metadata).
Jenkins 2.319, LTS 2.303.3 prevents agents from accessing contents of build directories unless it’s for builds currently running on the agent attempting to access the directory.
Update Pipeline: Nodes and Processes to version 2.40 or newer for Jenkins to associate Pipeline node blocks with the agent they’re running on for this fix.
If you are unable to immediately upgrade to Jenkins 2.319, LTS 2.303.3, you can install the Remoting Security Workaround Plugin. It will prevent all agent-to-controller file access using FilePath APIs. Because it is more restrictive than Jenkins 2.319, LTS 2.303.3, more plugins are incompatible with it. Make sure to read the plugin documentation before installing it.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2.303.2"
},
"package": {
"ecosystem": "Maven",
"name": "org.jenkins-ci.main:jenkins-core"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.303.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2.318"
},
"package": {
"ecosystem": "Maven",
"name": "org.jenkins-ci.main:jenkins-core"
},
"ranges": [
{
"events": [
{
"introduced": "2.304"
},
{
"fixed": "2.319"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-21697"
],
"database_specific": {
"cwe_ids": [
"CWE-184"
],
"github_reviewed": true,
"github_reviewed_at": "2022-06-23T06:46:48Z",
"nvd_published_at": "2021-11-04T17:15:00Z",
"severity": "CRITICAL"
},
"details": "Agents are allowed some limited access to files on the Jenkins controller file system. The directories agents are allowed to access in Jenkins 2.318 and earlier, LTS 2.303.2 and earlier include the directories storing build-related information, intended to allow agents to store build-related metadata during build execution. As a consequence, this allows any agent to read and write the contents of any build directory stored in Jenkins with very few restrictions (`build.xml` and some Pipeline-related metadata).\n\nJenkins 2.319, LTS 2.303.3 prevents agents from accessing contents of build directories unless it\u2019s for builds currently running on the agent attempting to access the directory.\n\nUpdate [Pipeline: Nodes and Processes](https://plugins.jenkins.io/workflow-durable-task-step/) to version 2.40 or newer for Jenkins to associate Pipeline `node` blocks with the agent they\u2019re running on for this fix.\n\nIf you are unable to immediately upgrade to Jenkins 2.319, LTS 2.303.3, you can install the [Remoting Security Workaround Plugin](https://www.jenkins.io/redirect/remoting-security-workaround/). It will prevent all agent-to-controller file access using `FilePath` APIs. Because it is more restrictive than Jenkins 2.319, LTS 2.303.3, more plugins are incompatible with it. Make sure to read the plugin documentation before installing it.",
"id": "GHSA-cv2w-q8c3-xjv7",
"modified": "2023-12-18T11:30:58Z",
"published": "2022-05-24T19:19:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21697"
},
{
"type": "WEB",
"url": "https://github.com/jenkinsci/jenkins/commit/cf388d2a04e6016d23eb93fa3cc804f2554b98f0"
},
{
"type": "WEB",
"url": "https://github.com/jenkinsci/jenkins/commit/eae33841b587da787f37d5b6c8451d483edc04d9"
},
{
"type": "PACKAGE",
"url": "https://github.com/jenkinsci/jenkins"
},
{
"type": "WEB",
"url": "https://www.jenkins.io/security/advisory/2021-11-04/#SECURITY-2428"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2021/11/04/3"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Agent-to-controller access control allows reading/writing most content of build directories in Jenkins"
}
GHSA-CWPP-5962-Q4F6
Vulnerability from github – Published: 2026-06-18 20:10 – Updated: 2026-06-18 20:10Summary
Exec allowlist could miss side effects from transparent command wrappers. In affected versions, a command request that reaches the exec allowlist path could be evaluated against the inner command while the wrapper invocation still executed.
This advisory is scoped to the named feature and configuration. It does not change OpenClaw's trusted-operator model: authenticated Gateway operators, installed plugins, and intentional local execution surfaces remain trusted unless a separate policy, approval, allowlist, sandbox, or auth boundary is crossed.
Impact
When the affected feature is enabled and reachable, this could perform wrapper-level side effects outside the intent of the allowlisted command. Practical impact depends on the operator's configuration and whether lower-trust input can reach that path.
Patched Versions
The first stable patched version is 2026.5.26.
Mitigations
review wrapper commands carefully and require approval for shell-like wrapper usage until patched. As general hardening, keep channel and tool allowlists narrow, avoid sharing one Gateway between mutually untrusted users, and disable the affected feature when it is not needed.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2026.5.22"
},
"package": {
"ecosystem": "npm",
"name": "openclaw"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2026.5.26"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-53848"
],
"database_specific": {
"cwe_ids": [
"CWE-184",
"CWE-78"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-18T20:10:30Z",
"nvd_published_at": null,
"severity": "LOW"
},
"details": "### Summary\n\nExec allowlist could miss side effects from transparent command wrappers. In affected versions, a command request that reaches the exec allowlist path could be evaluated against the inner command while the wrapper invocation still executed.\n\nThis advisory is scoped to the named feature and configuration. It does not change OpenClaw\u0027s trusted-operator model: authenticated Gateway operators, installed plugins, and intentional local execution surfaces remain trusted unless a separate policy, approval, allowlist, sandbox, or auth boundary is crossed.\n\n### Impact\n\nWhen the affected feature is enabled and reachable, this could perform wrapper-level side effects outside the intent of the allowlisted command. Practical impact depends on the operator\u0027s configuration and whether lower-trust input can reach that path.\n\n### Patched Versions\n\nThe first stable patched version is `2026.5.26`.\n\n### Mitigations\n\nreview wrapper commands carefully and require approval for shell-like wrapper usage until patched. As general hardening, keep channel and tool allowlists narrow, avoid sharing one Gateway between mutually untrusted users, and disable the affected feature when it is not needed.",
"id": "GHSA-cwpp-5962-q4f6",
"modified": "2026-06-18T20:10:30Z",
"published": "2026-06-18T20:10:30Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-cwpp-5962-q4f6"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-53848"
},
{
"type": "PACKAGE",
"url": "https://github.com/openclaw/openclaw"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/openclaw-exec-allowlist-bypass-via-transparent-command-wrappers"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "OpenClaw: Exec allowlist could miss side effects from transparent command wrappers"
}
GHSA-F397-5VJW-V2C2
Vulnerability from github – Published: 2026-06-18 13:03 – Updated: 2026-06-18 13:03Summary
Shell inline-command parsing could miss an allowlist check. In affected versions, a command request using shell inline-command forms could route an inline command through a parser case that did not receive the expected allowlist decision.
This advisory is scoped to the named feature and configuration. It does not change OpenClaw's trusted-operator model: authenticated Gateway operators, installed plugins, and intentional local execution surfaces remain trusted unless a separate policy, approval, allowlist, sandbox, or auth boundary is crossed.
Impact
When the affected feature is enabled and reachable, this could run shell content without the intended approval or allowlist prompt. Practical impact depends on the operator's configuration and whether lower-trust input can reach that path.
Patched Versions
The first stable patched version is 2026.5.12.
Mitigations
require approval for shell inline-command forms until patched. As general hardening, keep channel and tool allowlists narrow, avoid sharing one Gateway between mutually untrusted users, and disable the affected feature when it is not needed.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2026.5.10-beta.1"
},
"package": {
"ecosystem": "npm",
"name": "openclaw"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2026.5.12"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-53866"
],
"database_specific": {
"cwe_ids": [
"CWE-184"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-18T13:03:52Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "### Summary\n\nShell inline-command parsing could miss an allowlist check. In affected versions, a command request using shell inline-command forms could route an inline command through a parser case that did not receive the expected allowlist decision.\n\nThis advisory is scoped to the named feature and configuration. It does not change OpenClaw\u0027s trusted-operator model: authenticated Gateway operators, installed plugins, and intentional local execution surfaces remain trusted unless a separate policy, approval, allowlist, sandbox, or auth boundary is crossed.\n\n### Impact\n\nWhen the affected feature is enabled and reachable, this could run shell content without the intended approval or allowlist prompt. Practical impact depends on the operator\u0027s configuration and whether lower-trust input can reach that path.\n\n### Patched Versions\n\nThe first stable patched version is `2026.5.12`.\n\n### Mitigations\n\nrequire approval for shell inline-command forms until patched. As general hardening, keep channel and tool allowlists narrow, avoid sharing one Gateway between mutually untrusted users, and disable the affected feature when it is not needed.",
"id": "GHSA-f397-5vjw-v2c2",
"modified": "2026-06-18T13:03:52Z",
"published": "2026-06-18T13:03:52Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-f397-5vjw-v2c2"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-53866"
},
{
"type": "PACKAGE",
"url": "https://github.com/openclaw/openclaw"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/openclaw-allowlist-bypass-in-shell-inline-command-parsing"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "OpenClaw: Shell inline-command parsing could miss an allowlist check"
}
GHSA-F5Q9-J9R2-34GQ
Vulnerability from github – Published: 2022-12-30 12:30 – Updated: 2023-01-10 16:13In the fix for CVE-2022-24697, a blacklist is used to filter user input commands. But there is a risk of being bypassed. The user can control the command by controlling the kylin.engine.spark-cmd parameter of conf.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.kylin:kylin"
},
"ranges": [
{
"events": [
{
"introduced": "2.0.0"
},
{
"fixed": "4.0.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-43396"
],
"database_specific": {
"cwe_ids": [
"CWE-184",
"CWE-77"
],
"github_reviewed": true,
"github_reviewed_at": "2023-01-03T12:34:52Z",
"nvd_published_at": "2022-12-30T11:15:00Z",
"severity": "HIGH"
},
"details": "In the fix for CVE-2022-24697, a blacklist is used to filter user input commands. But there is a risk of being bypassed. The user can control the command by controlling the `kylin.engine.spark-cmd` parameter of `conf`.",
"id": "GHSA-f5q9-j9r2-34gq",
"modified": "2023-01-10T16:13:03Z",
"published": "2022-12-30T12:30:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-43396"
},
{
"type": "PACKAGE",
"url": "https://github.com/apache/kylin/pull/2011"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread/ob2ks04zl5ms0r44cd74y1xdl1rzfd1r"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Apache Kylin vulnerable to Command injection by Useless configuration"
}
Mitigation
Strategy: Input Validation
Do not rely exclusively on detecting disallowed inputs. There are too many variants to encode a character, especially when different environments are used, so there is a high likelihood of missing some variants. Only use detection of disallowed inputs as a mechanism for detecting suspicious activity. Ensure that you are using other protection mechanisms that only identify "good" input - such as lists of allowed inputs - and ensure that you are properly encoding your outputs.
CAPEC-120: Double Encoding
The adversary utilizes a repeating of the encoding process for a set of characters (that is, character encoding a character encoding of a character) to obfuscate the payload of a particular request. This may allow the adversary to bypass filters that attempt to detect illegal characters or strings, such as those that might be used in traversal or injection attacks. Filters may be able to catch illegal encoded strings, but may not catch doubly encoded strings. For example, a dot (.), often used in path traversal attacks and therefore often blocked by filters, could be URL encoded as %2E. However, many filters recognize this encoding and would still block the request. In a double encoding, the % in the above URL encoding would be encoded again as %25, resulting in %252E which some filters might not catch, but which could still be interpreted as a dot (.) by interpreters on the target.
CAPEC-15: Command Delimiters
An attack of this type exploits a programs' vulnerabilities that allows an attacker's commands to be concatenated onto a legitimate command with the intent of targeting other resources such as the file system or database. The system that uses a filter or denylist input validation, as opposed to allowlist validation is vulnerable to an attacker who predicts delimiters (or combinations of delimiters) not present in the filter or denylist. As with other injection attacks, the attacker uses the command delimiter payload as an entry point to tunnel through the application and activate additional attacks through SQL queries, shell commands, network scanning, and so on.
CAPEC-182: Flash Injection
An attacker tricks a victim to execute malicious flash content that executes commands or makes flash calls specified by the attacker. One example of this attack is cross-site flashing, an attacker controlled parameter to a reference call loads from content specified by the attacker.
CAPEC-3: Using Leading 'Ghost' Character Sequences to Bypass Input Filters
Some APIs will strip certain leading characters from a string of parameters. An adversary can intentionally introduce leading "ghost" characters (extra characters that don't affect the validity of the request at the API layer) that enable the input to pass the filters and therefore process the adversary's input. This occurs when the targeted API will accept input data in several syntactic forms and interpret it in the equivalent semantic way, while the filter does not take into account the full spectrum of the syntactic forms acceptable to the targeted API.
CAPEC-43: Exploiting Multiple Input Interpretation Layers
An attacker supplies the target software with input data that contains sequences of special characters designed to bypass input validation logic. This exploit relies on the target making multiples passes over the input data and processing a "layer" of special characters with each pass. In this manner, the attacker can disguise input that would otherwise be rejected as invalid by concealing it with layers of special/escape characters that are stripped off by subsequent processing steps. The goal is to first discover cases where the input validation layer executes before one or more parsing layers. That is, user input may go through the following logic in an application: <parser1> --> <input validator> --> <parser2>. In such cases, the attacker will need to provide input that will pass through the input validator, but after passing through parser2, will be converted into something that the input validator was supposed to stop.
CAPEC-6: Argument Injection
An attacker changes the behavior or state of a targeted application through injecting data or command syntax through the targets use of non-validated and non-filtered arguments of exposed services or methods.
CAPEC-71: Using Unicode Encoding to Bypass Validation Logic
An attacker may provide a Unicode string to a system component that is not Unicode aware and use that to circumvent the filter or cause the classifying mechanism to fail to properly understanding the request. That may allow the attacker to slip malicious data past the content filter and/or possibly cause the application to route the request incorrectly.
CAPEC-73: User-Controlled Filename
An attack of this type involves an adversary inserting malicious characters (such as a XSS redirection) into a filename, directly or indirectly that is then used by the target software to generate HTML text or other potentially executable content. Many websites rely on user-generated content and dynamically build resources like files, filenames, and URL links directly from user supplied data. In this attack pattern, the attacker uploads code that can execute in the client browser and/or redirect the client browser to a site that the attacker owns. All XSS attack payload variants can be used to pass and exploit these vulnerabilities.
CAPEC-85: AJAX Footprinting
This attack utilizes the frequent client-server roundtrips in Ajax conversation to scan a system. While Ajax does not open up new vulnerabilities per se, it does optimize them from an attacker point of view. A common first step for an attacker is to footprint the target environment to understand what attacks will work. Since footprinting relies on enumeration, the conversational pattern of rapid, multiple requests and responses that are typical in Ajax applications enable an attacker to look for many vulnerabilities, well-known ports, network locations and so on. The knowledge gained through Ajax fingerprinting can be used to support other attacks, such as XSS.