CWE-289
AllowedAuthentication Bypass by Alternate Name
Abstraction: Base · Status: Incomplete
The product performs authentication based on the name of a resource being accessed, or the name of the actor performing the access, but it does not properly check all possible names for that resource or actor.
60 vulnerabilities reference this CWE, most recent first.
GHSA-9P64-VWXM-HXQM
Vulnerability from github – Published: 2025-03-14 06:30 – Updated: 2025-03-14 06:30The WP JobHunt plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 7.1. This is due to wp_ajax_google_api_login_callback function not properly verifying a user's identity prior to authenticating them. This makes it possible for unauthenticated attackers to access arbitrary candidate accounts.
{
"affected": [],
"aliases": [
"CVE-2024-11283"
],
"database_specific": {
"cwe_ids": [
"CWE-289"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-03-14T05:15:37Z",
"severity": "HIGH"
},
"details": "The WP JobHunt plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 7.1. This is due to wp_ajax_google_api_login_callback function not properly verifying a user\u0027s identity prior to authenticating them. This makes it possible for unauthenticated attackers to access arbitrary candidate accounts.",
"id": "GHSA-9p64-vwxm-hxqm",
"modified": "2025-03-14T06:30:41Z",
"published": "2025-03-14T06:30:41Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-11283"
},
{
"type": "WEB",
"url": "https://themeforest.net/item/jobcareer-job-board-responsive-wordpress-theme/14221636"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/cfa487fb-c014-47f1-9537-73881ede30b4?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-9R87-MVCW-X35F
Vulnerability from github – Published: 2026-07-06 20:52 – Updated: 2026-07-06 20:52Summary
Two flaws in Coder's OIDC login chained into account takeover: email-based user matching fell back to linking by email without checking for an existing link to a different IdP subject and the email_verified claim was only enforced when present as a boolean false so an absent or non-boolean claim was treated as verified.
Impact
An attacker who could authenticate at the configured OIDC provider with an email matching a victim's Coder account could log in as that victim and gain full access to their workspaces, templates and resources. This required OIDC authentication, attacker control of a matching email at the IdP and a victim account not yet linked to a different IdP subject.
Patches
The fix restricts the email fallback to first-time and legacy linking and defaults email_verified to false when the claim is absent or of an unexpected type.
The fix was backported to all supported release lines:
| Release line | Patched version |
|---|---|
| 2.34 | v2.34.2 |
| 2.33 | v2.33.8 |
| 2.32 | v2.32.7 |
| 2.29 (ESR) | v2.29.17 |
Workarounds
Configure the OIDC provider to disallow self-registration or to require email verification before issuing tokens.
Resources
- Fix: #25712, #25713
Credits
Coder would like to thank Anthropic's Security Team (ANT-2026-22450) for independently disclosing this issue!
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/coder/coder/v2"
},
"ranges": [
{
"events": [
{
"introduced": "2.34.0"
},
{
"fixed": "2.34.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/coder/coder/v2"
},
"ranges": [
{
"events": [
{
"introduced": "2.33.0"
},
{
"fixed": "2.33.8"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/coder/coder/v2"
},
"ranges": [
{
"events": [
{
"introduced": "2.30.0"
},
{
"fixed": "2.32.7"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/coder/coder/v2"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.29.17"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-55075"
],
"database_specific": {
"cwe_ids": [
"CWE-287",
"CWE-289"
],
"github_reviewed": true,
"github_reviewed_at": "2026-07-06T20:52:13Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "### Summary\n\nTwo flaws in Coder\u0027s OIDC login chained into account takeover: email-based user matching fell back to linking by email without checking for an existing link to a different IdP subject and the `email_verified` claim was only enforced when present as a boolean `false` so an absent or non-boolean claim was treated as verified.\n\n### Impact\n\nAn attacker who could authenticate at the configured OIDC provider with an email matching a victim\u0027s Coder account could log in as that victim and gain full access to their workspaces, templates and resources. This required OIDC authentication, attacker control of a matching email at the IdP and a victim account not yet linked to a different IdP subject.\n\n### Patches\n\nThe fix restricts the email fallback to first-time and legacy linking and defaults `email_verified` to false when the claim is absent or of an unexpected type.\n\nThe fix was backported to all supported release lines:\n\n| Release line | Patched version |\n|---|---|\n| 2.34 | [v2.34.2](https://github.com/coder/coder/releases/tag/v2.34.2) |\n| 2.33 | [v2.33.8](https://github.com/coder/coder/releases/tag/v2.33.8) |\n| 2.32 | [v2.32.7](https://github.com/coder/coder/releases/tag/v2.32.7) |\n| 2.29 (ESR) | [v2.29.17](https://github.com/coder/coder/releases/tag/v2.29.17) |\n\n### Workarounds\n\nConfigure the OIDC provider to disallow self-registration or to require email verification before issuing tokens.\n\n### Resources\n\n- Fix: #25712, #25713\n\n### Credits\n\nCoder would like to thank Anthropic\u0027s Security Team (ANT-2026-22450) for independently disclosing this issue!",
"id": "GHSA-9r87-mvcw-x35f",
"modified": "2026-07-06T20:52:13Z",
"published": "2026-07-06T20:52:13Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/coder/coder/security/advisories/GHSA-9r87-mvcw-x35f"
},
{
"type": "WEB",
"url": "https://github.com/coder/coder/pull/25712"
},
{
"type": "WEB",
"url": "https://github.com/coder/coder/pull/25713"
},
{
"type": "PACKAGE",
"url": "https://github.com/coder/coder"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Coder vulnerable to OIDC account takeover via email-based user matching and email_verified bypass"
}
GHSA-9RQ6-59M3-GMGX
Vulnerability from github – Published: 2024-06-13 06:30 – Updated: 2024-06-13 06:30The Download Manager plugin for WordPress is vulnerable to unauthorized access of data due to an improper authorization check on the 'protectMediaLibrary' function in all versions up to, and including, 3.2.89. This makes it possible for unauthenticated attackers to download password-protected files.
{
"affected": [],
"aliases": [
"CVE-2024-2098"
],
"database_specific": {
"cwe_ids": [
"CWE-289",
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-06-13T06:15:09Z",
"severity": "HIGH"
},
"details": "The Download Manager plugin for WordPress is vulnerable to unauthorized access of data due to an improper authorization check on the \u0027protectMediaLibrary\u0027 function in all versions up to, and including, 3.2.89. This makes it possible for unauthenticated attackers to download password-protected files.",
"id": "GHSA-9rq6-59m3-gmgx",
"modified": "2024-06-13T06:30:53Z",
"published": "2024-06-13T06:30:53Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-2098"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset/3072712/download-manager"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1301c8af-d81a-40f1-96fa-e8252309d8a4?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-C244-P6M5-VQJ6
Vulnerability from github – Published: 2026-02-09 12:30 – Updated: 2026-02-11 19:48Impact
Authentication Bypass: A vulnerability exists in Apache Shiro that allows authentication bypass for static files when served from a case-insensitive filesystem (such as the default configuration on macOS or Windows).
The issue arises when Shiro's URL filters are configured with lower-case rules (a common default), but the underlying operating system treats mixed-case filenames as identical. An attacker can access protected static resources by varying the capitalization of the filename in the request (e.g., requesting /SECRET.TXT to bypass a rule for /secret.txt).
This issue specifically affects static file handling and does not impact dynamic resource paths that are case-sensitive.
Patches
Users should upgrade to Apache Shiro 2.1.0 or later.
Important Configuration Note: Version 2.1.0 introduces a new configuration parameter to handle case-insensitivity, which must be enabled manually to resolve the issue:
- shiro.ini:
ini filterChainResolver.caseInsensitive = true - Spring Boot (application.properties):
properties shiro.caseInsensitive=true
Note: Apache Shiro 3.0.0 (upcoming) will enable this setting by default.
Workarounds
- Ensure that the filesystem hosting the application is case-sensitive (e.g., Linux/Unix).
- Manually configure all Shiro filter chains to handle all possible case variations of protected filenames (not recommended due to complexity).
Resources
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2.0.6"
},
"package": {
"ecosystem": "Maven",
"name": "org.apache.shiro:shiro-spring"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.1.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-23903"
],
"database_specific": {
"cwe_ids": [
"CWE-289"
],
"github_reviewed": true,
"github_reviewed_at": "2026-02-11T19:48:43Z",
"nvd_published_at": "2026-02-09T10:15:57Z",
"severity": "MODERATE"
},
"details": "### Impact\n\n**Authentication Bypass:**\nA vulnerability exists in Apache Shiro that allows authentication bypass for static files when served from a case-insensitive filesystem (such as the default configuration on macOS or Windows).\n\nThe issue arises when Shiro\u0027s URL filters are configured with lower-case rules (a common default), but the underlying operating system treats mixed-case filenames as identical. An attacker can access protected static resources by varying the capitalization of the filename in the request (e.g., requesting `/SECRET.TXT` to bypass a rule for `/secret.txt`).\n\nThis issue specifically affects static file handling and does not impact dynamic resource paths that are case-sensitive.\n\n### Patches\nUsers should upgrade to Apache Shiro **2.1.0** or later.\n\n**Important Configuration Note:**\nVersion 2.1.0 introduces a new configuration parameter to handle case-insensitivity, which must be enabled manually to resolve the issue:\n\n* **shiro.ini:**\n ```ini\n filterChainResolver.caseInsensitive = true\n ```\n* **Spring Boot (application.properties):**\n ```properties\n shiro.caseInsensitive=true\n ```\n\n*Note: Apache Shiro 3.0.0 (upcoming) will enable this setting by default.*\n\n### Workarounds\n* Ensure that the filesystem hosting the application is case-sensitive (e.g., Linux/Unix).\n* Manually configure all Shiro filter chains to handle all possible case variations of protected filenames (not recommended due to complexity).\n\n### Resources\n* [CVE-2026-23903](https://nvd.nist.gov/vuln/detail/CVE-2026-23903)\n* [Mailing List Announcement](https://lists.apache.org/thread/5jjf0hnjcol58z2m5y255c7scz1lnp8k)\n* [OSS-Security List](http://www.openwall.com/lists/oss-security/2026/02/08/1)",
"id": "GHSA-c244-p6m5-vqj6",
"modified": "2026-02-11T19:48:43Z",
"published": "2026-02-09T12:30:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23903"
},
{
"type": "WEB",
"url": "https://github.com/apache/shiro/commit/3b9638b957495004599aeaf24ba8949e309f26e8"
},
{
"type": "PACKAGE",
"url": "https://github.com/apache/shiro"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread/5jjf0hnjcol58z2m5y255c7scz1lnp8k"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2026/02/08/1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Apache Shiro has an Authentication Bypass"
}
GHSA-CG23-QF8F-62RR
Vulnerability from github – Published: 2024-11-13 18:29 – Updated: 2024-11-14 23:55Description
When consuming a persisted remember-me cookie, Symfony does not check if the username persisted in the database matches the username attached with the cookie, leading to authentication bypass.
Resolution
The PersistentRememberMeHandler class now ensures the submitted username is the cookie owner.
The patch for this issue is available here for branch 5.4.
Credits
We would like to thank Moritz Rauch - Pentryx AG for reporting the issue and Jérémy Derussé for providing the fix.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "symfony/security-http"
},
"ranges": [
{
"events": [
{
"introduced": "5.3.0"
},
{
"fixed": "5.4.47"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "symfony/security-http"
},
"ranges": [
{
"events": [
{
"introduced": "6.0.0-BETA1"
},
{
"fixed": "6.4.15"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "symfony/security-http"
},
"ranges": [
{
"events": [
{
"introduced": "7.0.0-BETA1"
},
{
"fixed": "7.1.8"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-51996"
],
"database_specific": {
"cwe_ids": [
"CWE-287",
"CWE-289"
],
"github_reviewed": true,
"github_reviewed_at": "2024-11-13T18:29:04Z",
"nvd_published_at": "2024-11-13T17:15:11Z",
"severity": "HIGH"
},
"details": "### Description\n\nWhen consuming a persisted remember-me cookie, Symfony does not check if the username persisted in the database matches the username attached with the cookie, leading to authentication bypass.\n\n### Resolution\n\nThe `PersistentRememberMeHandler` class now ensures the submitted username is the cookie owner.\n\nThe patch for this issue is available [here](https://github.com/symfony/symfony/commit/81354d392c5f0b7a52bcbd729d6f82501e94135a) for branch 5.4.\n\n### Credits\n\nWe would like to thank Moritz Rauch - Pentryx AG for reporting the issue and J\u00e9r\u00e9my Deruss\u00e9 for providing the fix.",
"id": "GHSA-cg23-qf8f-62rr",
"modified": "2024-11-14T23:55:43Z",
"published": "2024-11-13T18:29:04Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/symfony/symfony/security/advisories/GHSA-cg23-qf8f-62rr"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-51996"
},
{
"type": "WEB",
"url": "https://github.com/symfony/symfony/commit/81354d392c5f0b7a52bcbd729d6f82501e94135a"
},
{
"type": "WEB",
"url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/security-http/CVE-2024-51996.yaml"
},
{
"type": "WEB",
"url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2024-51996.yaml"
},
{
"type": "PACKAGE",
"url": "https://github.com/symfony/symfony"
},
{
"type": "WEB",
"url": "https://symfony.com/cve-2024-51996"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Symfony has an Authentication Bypass via RememberMe"
}
GHSA-CV5F-6R7G-8Q4W
Vulnerability from github – Published: 2025-03-31 15:30 – Updated: 2025-03-31 15:30Unraid 7.0.0 before 7.0.1 allows remote users to access the Unraid WebGUI and web console as root without authentication if a container is running in Host networking mode with Use Tailscale enabled.
{
"affected": [],
"aliases": [
"CVE-2025-29266"
],
"database_specific": {
"cwe_ids": [
"CWE-289"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-03-31T13:15:43Z",
"severity": "CRITICAL"
},
"details": "Unraid 7.0.0 before 7.0.1 allows remote users to access the Unraid WebGUI and web console as root without authentication if a container is running in Host networking mode with Use Tailscale enabled.",
"id": "GHSA-cv5f-6r7g-8q4w",
"modified": "2025-03-31T15:30:44Z",
"published": "2025-03-31T15:30:44Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-29266"
},
{
"type": "WEB",
"url": "https://docs.unraid.net/unraid-os/release-notes/7.0.1"
},
{
"type": "WEB",
"url": "https://edac.dev/security/CVE-2025-29266"
},
{
"type": "WEB",
"url": "https://github.com/unraid/webgui"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-FV2H-753J-9G39
Vulnerability from github – Published: 2023-09-20 23:01 – Updated: 2024-10-11 15:37Impact
When a response is processed, the issuer of the Identity Provider is not sufficiently validated. This could allow a malicious identity provider to craft a Saml2 response that is processed as if issued by another identity provider. It is also possible for a malicious end user to cause stored state intended for one identity provider to be used when processing the response from another provider.
An application is impacted if they rely on any of these features in their authentication/authorization logic: * the issuer of the generated identity and claims * items in the stored request state (AuthenticationProperties)
Patches
Patched in version 2.9.2 and 1.0.3. All previous versions are vulnerable.
Workarounds
The AcsCommandResultCreated notification can be used to add the validation required if an upgrade to patched packages is not possible.
References
The patch is linked to https://github.com/Sustainsys/Saml2/issues/712 and https://github.com/Sustainsys/Saml2/issues/713
{
"affected": [
{
"package": {
"ecosystem": "NuGet",
"name": "Sustainsys.Saml2"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.0.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Sustainsys.Saml2"
},
"ranges": [
{
"events": [
{
"introduced": "2.0.0"
},
{
"fixed": "2.9.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Kentor.AuthServices"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "0.23.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-41890"
],
"database_specific": {
"cwe_ids": [
"CWE-289",
"CWE-294"
],
"github_reviewed": true,
"github_reviewed_at": "2023-09-20T23:01:52Z",
"nvd_published_at": "2023-09-19T15:15:52Z",
"severity": "HIGH"
},
"details": "### Impact\nWhen a response is processed, the issuer of the Identity Provider is not sufficiently validated. This could allow a malicious identity provider to craft a Saml2 response that is processed as if issued by another identity provider. It is also possible for a malicious end user to cause stored state intended for one identity provider to be used when processing the response from another provider.\n\nAn application is impacted if they rely on any of these features in their authentication/authorization logic:\n* the issuer of the generated identity and claims\n* items in the stored request state (AuthenticationProperties)\n\n### Patches\nPatched in version 2.9.2 and 1.0.3. All previous versions are vulnerable.\n\n### Workarounds\nThe `AcsCommandResultCreated` notification can be used to add the validation required if an upgrade to patched packages is not possible.\n\n### References\nThe patch is linked to https://github.com/Sustainsys/Saml2/issues/712 and https://github.com/Sustainsys/Saml2/issues/713\n",
"id": "GHSA-fv2h-753j-9g39",
"modified": "2024-10-11T15:37:58Z",
"published": "2023-09-20T23:01:52Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/Sustainsys/Saml2/security/advisories/GHSA-fv2h-753j-9g39"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-41890"
},
{
"type": "WEB",
"url": "https://github.com/Sustainsys/Saml2/issues/712"
},
{
"type": "WEB",
"url": "https://github.com/Sustainsys/Saml2/issues/713"
},
{
"type": "PACKAGE",
"url": "https://github.com/Sustainsys/Saml2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Sustainsys.Saml2 Insufficient Identity Provider Issuer Validation"
}
GHSA-G57M-HR98-5M89
Vulnerability from github – Published: 2026-06-26 03:31 – Updated: 2026-07-15 03:32A flaw in Node.js TLS hostname handling can cause Node.js unicode dot separator handling can lead to tls wildcard-depth authentication bypass due to resolver and verifier hostname normalization mismat.
This can lead to confidentiality impact or bypass of the intended security boundary under affected configurations.
This vulnerability affects all supported release lines: Node.js 22, Node.js 24, and Node.js 26.
{
"affected": [],
"aliases": [
"CVE-2026-48618"
],
"database_specific": {
"cwe_ids": [
"CWE-176",
"CWE-289"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-26T02:16:52Z",
"severity": "HIGH"
},
"details": "A flaw in Node.js TLS hostname handling can cause Node.js unicode dot separator handling can lead to tls wildcard-depth authentication bypass due to resolver and verifier hostname normalization mismat.\n\nThis can lead to confidentiality impact or bypass of the intended security boundary under affected configurations.\n\nThis vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**.",
"id": "GHSA-g57m-hr98-5m89",
"modified": "2026-07-15T03:32:51Z",
"published": "2026-06-26T03:31:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-48618"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:28727"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:29012"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:30172"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:35841"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:35842"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:35891"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:35892"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:39246"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:7378"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:9455"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2026-48618"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2493337"
},
{
"type": "WEB",
"url": "https://nodejs.org/en/blog/vulnerability/june-2026-security-releases"
},
{
"type": "WEB",
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-48618.json"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-G7CR-9H7Q-4QXQ
Vulnerability from github – Published: 2026-03-12 14:21 – Updated: 2026-04-06 22:45OpenClaw's Microsoft Teams plugin widened group sender authorization when a team/channel route allowlist was configured but groupAllowFrom was empty. Before the fix, a matching route allowlist entry could cause the message handler to synthesize wildcard sender authorization for that route, allowing any sender in the matched team/channel to bypass the intended groupPolicy: "allowlist" sender check.
This does not affect default unauthenticated access, but it does weaken a documented Teams group authorization boundary and can allow unauthorized group senders to trigger replies in allowlisted Teams routes.
Affected Packages / Versions
- Package:
openclaw(npm) - Latest published vulnerable version:
2026.3.7 - Affected range:
<= 2026.3.7 - Fixed in released version:
2026.3.8
Fix Commit(s)
88aee9161e0e6d32e810a25711e32a808a1777b2
Release Verification
- Verified fixed in GitHub release
v2026.3.8published on March 9, 2026. - Verified
npm view openclaw versionresolves to2026.3.8. - Verified the release contains the regression test covering the Teams route-allowlist sender-bypass case and that the test passes against the
v2026.3.8tree.
Thanks @zpbrent for reporting.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2026.3.7"
},
"package": {
"ecosystem": "npm",
"name": "openclaw"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2026.3.8"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-34506"
],
"database_specific": {
"cwe_ids": [
"CWE-289"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-12T14:21:35Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "OpenClaw\u0027s Microsoft Teams plugin widened group sender authorization when a team/channel route allowlist was configured but `groupAllowFrom` was empty. Before the fix, a matching route allowlist entry could cause the message handler to synthesize wildcard sender authorization for that route, allowing any sender in the matched team/channel to bypass the intended `groupPolicy: \"allowlist\"` sender check.\n\nThis does not affect default unauthenticated access, but it does weaken a documented Teams group authorization boundary and can allow unauthorized group senders to trigger replies in allowlisted Teams routes.\n\n## Affected Packages / Versions\n\n- Package: `openclaw` (npm)\n- Latest published vulnerable version: `2026.3.7`\n- Affected range: `\u003c= 2026.3.7`\n- Fixed in released version: `2026.3.8`\n\n## Fix Commit(s)\n\n- `88aee9161e0e6d32e810a25711e32a808a1777b2`\n\n## Release Verification\n\n- Verified fixed in GitHub release `v2026.3.8` published on March 9, 2026.\n- Verified `npm view openclaw version` resolves to `2026.3.8`.\n- Verified the release contains the regression test covering the Teams route-allowlist sender-bypass case and that the test passes against the `v2026.3.8` tree.\n\nThanks @zpbrent for reporting.",
"id": "GHSA-g7cr-9h7q-4qxq",
"modified": "2026-04-06T22:45:49Z",
"published": "2026-03-12T14:21:35Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-g7cr-9h7q-4qxq"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34506"
},
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/commit/88aee9161e0e6d32e810a25711e32a808a1777b2"
},
{
"type": "PACKAGE",
"url": "https://github.com/openclaw/openclaw"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/openclaw-sender-allowlist-bypass-in-microsoft-teams-plugin-via-route-allowlist-configuration"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "OpenClaw\u0027s MS Teams sender allowlist bypass when route allowlist is configured and sender allowlist is empty"
}
GHSA-H2P8-37QR-QFR9
Vulnerability from github – Published: 2025-08-20 18:30 – Updated: 2025-12-24 00:30A vulnerability was found in the Cryostat HTTP API. Cryostat's HTTP API binds to all network interfaces, allowing possible external visibility and access to the API port if Network Policies are disabled, allowing an unauthenticated, malicious attacker to jeopardize the environment.
{
"affected": [],
"aliases": [
"CVE-2025-8415"
],
"database_specific": {
"cwe_ids": [
"CWE-289"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-08-20T17:15:37Z",
"severity": "MODERATE"
},
"details": "A vulnerability was found in the Cryostat HTTP API. Cryostat\u0027s HTTP API binds to all network interfaces, allowing possible external visibility and access to the API port if Network Policies are disabled, allowing an unauthenticated, malicious attacker to jeopardize the environment.",
"id": "GHSA-h2p8-37qr-qfr9",
"modified": "2025-12-24T00:30:12Z",
"published": "2025-08-20T18:30:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-8415"
},
{
"type": "WEB",
"url": "https://github.com/cryostatio/cryostat/pull/1001"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:14919"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2025-8415"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2385773"
},
{
"type": "WEB",
"url": "https://github.com/cryostatio/cryostat/releases/tag/v4.0.2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation MIT-44
Strategy: Input Validation
Avoid making decisions based on names of resources (e.g. files) if those resources can have alternate names.
Mitigation MIT-5
Strategy: Input Validation
- Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
- When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
- Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
Mitigation MIT-20
Strategy: Input Validation
Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.
No CAPEC attack patterns related to this CWE.