CWE-636
Allowed-with-ReviewNot Failing Securely ('Failing Open')
Abstraction: Class · Status: Draft
When the product encounters an error condition or failure, its design requires it to fall back to a state that is less secure than other options that are available, such as selecting the weakest encryption algorithm or using the most permissive access control restrictions.
73 vulnerabilities reference this CWE, most recent first.
GHSA-P9JG-FCR6-3MHF
Vulnerability from github – Published: 2026-07-01 21:51 – Updated: 2026-07-01 21:51Summary
A flaw in com.ongres.scram:scram-client allows an attacker capable of performing a TLS man-in-the-middle (MITM) attack to silently downgrade a connection from SCRAM-SHA-256-PLUS (with channel binding) to standard SCRAM-SHA-256 (without channel binding), bypassing strict client-side enforcement policies.
Component Breakdown
This occurs due to a two-part failure in TlsServerEndpoint when a server presents an X.509 certificate using a modern signature algorithm that lacks traditional WITH naming structures (such as Ed25519 or post-quantum algorithms):
- The internal hash derivation method fails to parse the algorithm name, swallows the resulting
NoSuchAlgorithmException, and silently returns an empty byte array via the deprecatedgetChannelBindingData()` API. - The client builder mistakenly interprets this empty byte array as an environmental absence of channel binding data rather than a cryptographic failure, falling back to non-channel-bound authentication.
Impact & Scope
This issue only impacts deployments where the downstream application layer explicitly enforces strict channel binding enforcement (e.g., channelBinding=require in pgJDBC).
Drivers operating under a "prefer" or "allow" policy (used by default) are structurally insulated from an unhandled exception since a fallback to standard SCRAM is within their expected configuration.
Remediation
Update your project configuration to pull in version 3.3 or later of the SCRAM library, which introduces strict exception propagation and explicit policy controls.
If you are interacting with the ScramClient builder API directly (e.g., writing a custom driver or database extension):
- Migrate Deprecated APIs: Stop using
TlsServerEndpoint.getChannelBindingData(). Transition immediately toTlsServerEndpoint.getChannelBindingHash(), which correctly propagatesNoSuchAlgorithmExceptionup the stack. - Adopt Explicit Policies: Leverage the newly introduced
ChannelBindingPolicyAPI during client construction. Do not rely on implicit parameter presence to dictate your security boundaries.
ScramClient client = ScramClient.builder()
.advertisedMechanisms(serverMechanisms)
.username(user)
.password(pass)
// Explicitly enforce strict boundaries if needed.
.channelBindingPolicy(ChannelBindingPolicy.REQUIRE)
.channelBinding(TlsServerEndpoint.TLS_SERVER_END_POINT, certHash)
.build();
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 3.2"
},
"package": {
"ecosystem": "Maven",
"name": "com.ongres.scram:scram-client"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 3.2"
},
"package": {
"ecosystem": "Maven",
"name": "com.ongres.scram:scram-common"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-53712"
],
"database_specific": {
"cwe_ids": [
"CWE-636",
"CWE-757"
],
"github_reviewed": true,
"github_reviewed_at": "2026-07-01T21:51:17Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "## Summary\n\nA flaw in `com.ongres.scram:scram-client` allows an attacker capable of performing a TLS man-in-the-middle (MITM) attack to silently downgrade a connection from `SCRAM-SHA-256-PLUS` (with channel binding) to standard `SCRAM-SHA-256` (without channel binding), bypassing strict client-side enforcement policies.\n\n## Component Breakdown\n\nThis occurs due to a two-part failure in `TlsServerEndpoint` when a server presents an `X.509` certificate using a modern signature algorithm that lacks traditional `WITH` naming structures (such as `Ed25519` or post-quantum algorithms):\n\n1. The internal hash derivation method fails to parse the algorithm name, swallows the resulting `NoSuchAlgorithmException, and silently returns an empty byte array via the deprecated `getChannelBindingData()` API.\n2. The client builder mistakenly interprets this empty byte array as an environmental absence of channel binding data rather than a cryptographic failure, falling back to non-channel-bound authentication.\n\n## Impact \u0026 Scope\n\nThis issue only impacts deployments where the downstream application layer explicitly enforces strict channel binding enforcement (e.g., channelBinding=require in pgJDBC).\n\nDrivers operating under a \"prefer\" or \"allow\" policy (used by default) are structurally insulated from an unhandled exception since a fallback to standard SCRAM is within their expected configuration.\n\n## Remediation\n\nUpdate your project configuration to pull in version 3.3 or later of the SCRAM library, which introduces strict exception propagation and explicit policy controls.\n\nIf you are interacting with the `ScramClient` builder API directly (e.g., writing a custom driver or database extension):\n\n- Migrate Deprecated APIs: Stop using `TlsServerEndpoint.getChannelBindingData()`. Transition immediately to `TlsServerEndpoint.getChannelBindingHash()`, which correctly propagates `NoSuchAlgorithmException` up the stack.\n- Adopt Explicit Policies: Leverage the newly introduced `ChannelBindingPolicy` API during client construction. Do not rely on implicit parameter presence to dictate your security boundaries.\n\n```java\nScramClient client = ScramClient.builder()\n .advertisedMechanisms(serverMechanisms)\n .username(user)\n .password(pass)\n // Explicitly enforce strict boundaries if needed.\n .channelBindingPolicy(ChannelBindingPolicy.REQUIRE) \n .channelBinding(TlsServerEndpoint.TLS_SERVER_END_POINT, certHash)\n .build();\n```",
"id": "GHSA-p9jg-fcr6-3mhf",
"modified": "2026-07-01T21:51:17Z",
"published": "2026-07-01T21:51:17Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/ongres/scram/security/advisories/GHSA-p9jg-fcr6-3mhf"
},
{
"type": "PACKAGE",
"url": "https://github.com/ongres/scram"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:L/SA:N",
"type": "CVSS_V4"
}
],
"summary": "OnGres SCRAM silent channel-binding authentication downgrade via unsupported certificate algorithms"
}
GHSA-Q2GC-XJQW-QP89
Vulnerability from github – Published: 2026-04-09 17:32 – Updated: 2026-05-06 02:40Impact
strictInlineEval explicit-approval boundary bypassed by approval-timeout fallback on gateway and node exec hosts.
The approval-timeout fallback could allow inline eval commands that strictInlineEval was meant to require explicit approval for.
OpenClaw is a user-controlled local assistant. This advisory is scoped to the OpenClaw trust model and does not assume a multi-tenant service boundary.
Affected Packages / Versions
- Package:
openclaw(npm) - Affected versions:
<=2026.4.2 - Patched versions:
2026.4.8
Fix
The issue was fixed on main and is available in the patched npm version listed above. The verified fixed tree is commit d7c3210cd6f5fdfdc1beff4c9541673e814354d5.
Verification
The fix was re-checked against main before publication, including targeted regression tests for the affected security boundary.
Credits
Thanks @zsxsoft and @KeenSecurityLab for reporting.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "openclaw"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2026.4.8"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-42423"
],
"database_specific": {
"cwe_ids": [
"CWE-20",
"CWE-636"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-09T17:32:49Z",
"nvd_published_at": "2026-04-28T19:37:46Z",
"severity": "MODERATE"
},
"details": "## Impact\n\nstrictInlineEval explicit-approval boundary bypassed by approval-timeout fallback on gateway and node exec hosts.\n\nThe approval-timeout fallback could allow inline eval commands that strictInlineEval was meant to require explicit approval for.\n\nOpenClaw is a user-controlled local assistant. This advisory is scoped to the OpenClaw trust model and does not assume a multi-tenant service boundary.\n\n## Affected Packages / Versions\n\n- Package: `openclaw` (npm)\n- Affected versions: `\u003c=2026.4.2`\n- Patched versions: `2026.4.8`\n\n## Fix\n\nThe issue was fixed on `main` and is available in the patched npm version listed above. The verified fixed tree is commit `d7c3210cd6f5fdfdc1beff4c9541673e814354d5`.\n\n## Verification\n\nThe fix was re-checked against `main` before publication, including targeted regression tests for the affected security boundary.\n\n## Credits\n\nThanks @zsxsoft and @KeenSecurityLab for reporting.",
"id": "GHSA-q2gc-xjqw-qp89",
"modified": "2026-05-06T02:40:53Z",
"published": "2026-04-09T17:32:49Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-q2gc-xjqw-qp89"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42423"
},
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/commit/d7c3210cd6f5fdfdc1beff4c9541673e814354d5"
},
{
"type": "PACKAGE",
"url": "https://github.com/openclaw/openclaw"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/openclaw-strictinlineeval-approval-boundary-bypass-via-approval-timeout-fallback"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "OpenClaw: strictInlineEval explicit-approval boundary bypassed by approval-timeout fallback on gateway and node exec hosts"
}
GHSA-Q5JF-9VFQ-H4H7
Vulnerability from github – Published: 2026-04-10 15:33 – Updated: 2026-04-24 20:42Helm is a package manager for Charts for Kubernetes. In Helm versions >=4.0.0 and <=4.1.3, Helm will install plugins missing provenance (.prov file) when signature verification is required.
Impact
The bug allows plugin authors to omit provenance (signing) data from plugins, bypassing plugin signature verification upon plugin install/update.
Notably, plugin hooks will be executed as designed on the installed plugin, enabling a malicious plugin to execute arbitrary code.
Patches
This issue has been patched in Helm v4.1.4
Installing/updating a plugin with missing provenance will error if signature verification is required.
Workarounds
Users may manually validate that a plugin archive is not missing provenance data (.prov file) before installation.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 4.1.3"
},
"package": {
"ecosystem": "Go",
"name": "helm.sh/helm/v4"
},
"ranges": [
{
"events": [
{
"introduced": "4.0.0"
},
{
"fixed": "4.1.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-35205"
],
"database_specific": {
"cwe_ids": [
"CWE-636"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-10T15:33:03Z",
"nvd_published_at": "2026-04-09T16:16:27Z",
"severity": "HIGH"
},
"details": "Helm is a package manager for Charts for Kubernetes. In Helm versions \u003e=4.0.0 and \u003c=4.1.3, Helm will install plugins missing provenance (`.prov` file) when signature verification is required.\n\n### Impact\n\nThe bug allows plugin authors to omit provenance (signing) data from plugins, bypassing plugin signature verification upon plugin install/update.\n\nNotably, plugin hooks will be executed as designed on the installed plugin, enabling a malicious plugin to execute arbitrary code.\n\n### Patches\n\nThis issue has been patched in Helm v4.1.4\n\nInstalling/updating a plugin with missing provenance will error if signature verification is required.\n\n### Workarounds\n\nUsers may manually validate that a plugin archive is not missing provenance data (`.prov` file) before installation.",
"id": "GHSA-q5jf-9vfq-h4h7",
"modified": "2026-04-24T20:42:00Z",
"published": "2026-04-10T15:33:03Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/helm/helm/security/advisories/GHSA-q5jf-9vfq-h4h7"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35205"
},
{
"type": "WEB",
"url": "https://github.com/helm/helm/commit/05fa37973dc9e42b76e1d2883494c87174b6074f"
},
{
"type": "PACKAGE",
"url": "https://github.com/helm/helm"
},
{
"type": "WEB",
"url": "https://github.com/helm/helm/releases/tag/v4.1.4"
},
{
"type": "WEB",
"url": "https://helm.sh/docs/topics/provenance/#the-provenance-file"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Helm\u0027s plugin verification fails open when .prov is missing, allowing unsigned plugin install"
}
GHSA-QVR7-G57C-MRC7
Vulnerability from github – Published: 2026-03-13 15:48 – Updated: 2026-04-07 18:10Summary
In affected versions of openclaw, local gateway helper credential resolution treated configured but unavailable gateway.auth.token and gateway.auth.password SecretRefs as if they were unset and could fall back to gateway.remote.* credentials in local mode.
Impact
This could cause local CLI and helper paths to select the wrong credential source instead of failing closed for configured local auth SecretRefs. We did not confirm a server-side gateway-authentication boundary bypass for this issue.
Affected Packages and Versions
- Package:
openclaw(npm) - Affected versions:
<= 2026.3.8 - Fixed in:
2026.3.11
Technical Details
The local-mode fallback logic decided whether remote credential fallback was allowed based on resolved credential values rather than on whether the local auth input was actually configured. A configured-but-unavailable local SecretRef therefore looked "absent" to the helper layer.
Fix
OpenClaw now tracks whether the local auth input is configured separately from whether it resolves successfully. In local mode, remote fallback is allowed only when the matching local auth input is truly unset. The fix shipped in openclaw@2026.3.11.
Workarounds
Upgrade to 2026.3.11 or later.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "openclaw"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2026.3.11"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-32970"
],
"database_specific": {
"cwe_ids": [
"CWE-636"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-13T15:48:21Z",
"nvd_published_at": null,
"severity": "LOW"
},
"details": "## Summary\nIn affected versions of `openclaw`, local gateway helper credential resolution treated configured but unavailable `gateway.auth.token` and `gateway.auth.password` SecretRefs as if they were unset and could fall back to `gateway.remote.*` credentials in local mode.\n\n## Impact\nThis could cause local CLI and helper paths to select the wrong credential source instead of failing closed for configured local auth SecretRefs. We did not confirm a server-side gateway-authentication boundary bypass for this issue.\n\n## Affected Packages and Versions\n- Package: `openclaw` (npm)\n- Affected versions: `\u003c= 2026.3.8`\n- Fixed in: `2026.3.11`\n\n## Technical Details\nThe local-mode fallback logic decided whether remote credential fallback was allowed based on resolved credential values rather than on whether the local auth input was actually configured. A configured-but-unavailable local SecretRef therefore looked \"absent\" to the helper layer.\n\n## Fix\nOpenClaw now tracks whether the local auth input is configured separately from whether it resolves successfully. In local mode, remote fallback is allowed only when the matching local auth input is truly unset. The fix shipped in `openclaw@2026.3.11`.\n\n## Workarounds\nUpgrade to `2026.3.11` or later.",
"id": "GHSA-qvr7-g57c-mrc7",
"modified": "2026-04-07T18:10:22Z",
"published": "2026-03-13T15:48:21Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-qvr7-g57c-mrc7"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32970"
},
{
"type": "PACKAGE",
"url": "https://github.com/openclaw/openclaw"
},
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/releases/tag/v2026.3.11"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/openclaw-credential-fallback-logic-bypass-via-unavailable-local-auth-secretrefs"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "OpenClaw: Unavailable local auth SecretRefs could fall through to remote credentials in local mode"
}
GHSA-RMHQ-3PJ8-86QJ
Vulnerability from github – Published: 2026-03-09 09:30 – Updated: 2026-03-09 09:30An administrator may attempt to block all networks by specifying "*" or "all" as the network identifier. However, these values are not supported and do not trigger any validation error. Instead, they are silently interpreted as network 0 which results in no networks being blocked at all.
{
"affected": [],
"aliases": [
"CVE-2025-41759"
],
"database_specific": {
"cwe_ids": [
"CWE-636"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-09T09:15:59Z",
"severity": "MODERATE"
},
"details": "An administrator may attempt to block all networks by specifying \"\\*\" or \"all\" as the network identifier. However, these values are not supported and do not trigger any validation error. Instead, they are silently interpreted as network 0 which results in no networks being blocked at all.",
"id": "GHSA-rmhq-3pj8-86qj",
"modified": "2026-03-09T09:30:30Z",
"published": "2026-03-09T09:30:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-41759"
},
{
"type": "WEB",
"url": "https://www.mbs-solutions.de/mbs-2025-0001"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-VCGP-9326-PQCP
Vulnerability from github – Published: 2026-05-04 22:01 – Updated: 2026-05-14 20:48Summary
A man-in-the-middle attacker can cause Net::IMAP#starttls to return "successfully", without starting TLS.
Details
When using Net::IMAP#starttls to upgrade a plaintext connection to use TLS, a man-in-the-middle attacker can inject a tagged OK response with an easily predictable tag. By sending the response before the client finishes sending the command, the command completes "successfully" before the response handler is registered. This allows #starttls to return without error, but the response handler is never invoked, the TLS connection is never established, and the socket remains unencrypted.
This allows man-in-the-middle attackers to perform a STARTTLS stripping attack, unless the client code explicitly checks Net::IMAP#tls_verified?.
Impact
TLS bypass, leading to cleartext transmission of sensitive information.
Mitigation
- Upgrade to a patched version of net-imap that raises an exception whenever
#starttlsdoes not establish TLS. - Connect to an implicit TLS port, rather than use
STARTTLSwith a cleartext port. This is strongly recommended anyway: - RFC 8314: Cleartext Considered Obsolete: Use of Transport Layer Security (TLS) for Email Submission and Access
- NO STARTTLS: Why TLS is better without STARTTLS, A Security Analysis of STARTTLS in the Email Context
- Explicitly verify
Net::IMAP#tls_verified?istrue, before using the connection after#starttls.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 0.6.3"
},
"package": {
"ecosystem": "RubyGems",
"name": "net-imap"
},
"ranges": [
{
"events": [
{
"introduced": "0.6.0"
},
{
"fixed": "0.6.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 0.5.13"
},
"package": {
"ecosystem": "RubyGems",
"name": "net-imap"
},
"ranges": [
{
"events": [
{
"introduced": "0.5.0"
},
{
"fixed": "0.5.14"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 0.4.23"
},
"package": {
"ecosystem": "RubyGems",
"name": "net-imap"
},
"ranges": [
{
"events": [
{
"introduced": "0.4.0"
},
{
"fixed": "0.4.24"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 0.3.9"
},
"package": {
"ecosystem": "RubyGems",
"name": "net-imap"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.3.10"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-42246"
],
"database_specific": {
"cwe_ids": [
"CWE-392",
"CWE-393",
"CWE-636",
"CWE-754",
"CWE-841"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-04T22:01:52Z",
"nvd_published_at": "2026-05-09T20:16:28Z",
"severity": "HIGH"
},
"details": "### Summary\n\nA man-in-the-middle attacker can cause `Net::IMAP#starttls` to return \"successfully\", without starting TLS.\n\n### Details\n\nWhen using `Net::IMAP#starttls` to upgrade a plaintext connection to use TLS, a man-in-the-middle attacker can inject a tagged `OK` response with an easily predictable tag. By sending the response before the client finishes sending the command, the command completes \"successfully\" before the response handler is registered. This allows `#starttls` to return without error, but the response handler is never invoked, the TLS connection is never established, and the socket remains unencrypted.\n\nThis allows man-in-the-middle attackers to perform a STARTTLS stripping attack, unless the client code explicitly checks `Net::IMAP#tls_verified?`.\n\n### Impact\n\nTLS bypass, leading to cleartext transmission of sensitive information.\n\n### Mitigation\n\n* Upgrade to a patched version of net-imap that raises an exception whenever `#starttls` does not establish TLS.\n* Connect to an implicit TLS port, rather than use `STARTTLS` with a cleartext port.\n This is strongly recommended anyway:\n * [RFC 8314](https://www.rfc-editor.org/info/rfc8314): Cleartext Considered Obsolete: Use of Transport Layer Security (TLS) for Email Submission and Access\n * [NO STARTTLS](https://nostarttls.secvuln.info/): Why TLS is better without STARTTLS, A Security Analysis of STARTTLS in the Email Context\n* Explicitly verify `Net::IMAP#tls_verified?` is `true`, before using the connection after `#starttls`.",
"id": "GHSA-vcgp-9326-pqcp",
"modified": "2026-05-14T20:48:01Z",
"published": "2026-05-04T22:01:52Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/ruby/net-imap/security/advisories/GHSA-vcgp-9326-pqcp"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42246"
},
{
"type": "WEB",
"url": "https://github.com/ruby/net-imap/commit/0ede4c40b1523dfeaf95777b2678e54cc0fd9618"
},
{
"type": "WEB",
"url": "https://github.com/ruby/net-imap/commit/24a4e770b43230286a05aa2a9746cdbb3eb8485e"
},
{
"type": "WEB",
"url": "https://github.com/ruby/net-imap/commit/97e2488fb5401a1783bddd959dde007d9fbce42c"
},
{
"type": "WEB",
"url": "https://github.com/ruby/net-imap/commit/f79d35bf5833f186e81044c57c843eda30c873da"
},
{
"type": "PACKAGE",
"url": "https://github.com/ruby/net-imap"
},
{
"type": "WEB",
"url": "https://github.com/ruby/net-imap/releases/tag/v0.3.10"
},
{
"type": "WEB",
"url": "https://github.com/ruby/net-imap/releases/tag/v0.4.24"
},
{
"type": "WEB",
"url": "https://github.com/ruby/net-imap/releases/tag/v0.5.14"
},
{
"type": "WEB",
"url": "https://github.com/ruby/net-imap/releases/tag/v0.6.4"
},
{
"type": "WEB",
"url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/net-imap/CVE-2026-42246.yml"
},
{
"type": "WEB",
"url": "https://nostarttls.secvuln.info"
},
{
"type": "WEB",
"url": "https://www.rfc-editor.org/info/rfc8314"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "net-imap vulnerable to STARTTLS stripping via invalid response timing"
}
GHSA-VJR8-6JJG-P3HJ
Vulnerability from github – Published: 2026-03-09 09:30 – Updated: 2026-03-09 09:30An administrator may attempt to block all traffic by configuring a pass filter with an empty table. However, in UBR, an empty list does not enforce any restrictions and allows all network traffic to pass unfiltered.
{
"affected": [],
"aliases": [
"CVE-2025-41760"
],
"database_specific": {
"cwe_ids": [
"CWE-636"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-09T09:16:00Z",
"severity": "MODERATE"
},
"details": "An administrator may attempt to block all traffic by configuring a pass filter with an empty table. However, in UBR, an empty list does not enforce any restrictions and allows all network traffic to pass unfiltered.",
"id": "GHSA-vjr8-6jjg-p3hj",
"modified": "2026-03-09T09:30:30Z",
"published": "2026-03-09T09:30:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-41760"
},
{
"type": "WEB",
"url": "https://www.mbs-solutions.de/mbs-2025-0001"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-VM29-7MQ3-9JRG
Vulnerability from github – Published: 2026-03-31 12:31 – Updated: 2026-04-07 18:10Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-qvr7-g57c-mrc7. This link is maintained to preserve external references.
Original Description
OpenClaw before 2026.3.11 contains a credential fallback vulnerability where unavailable local gateway.auth.token and gateway.auth.password SecretRefs are treated as unset, allowing fallback to remote credentials in local mode. Attackers can exploit misconfigured local auth references to cause CLI and helper paths to select incorrect credential sources, potentially bypassing intended local authentication boundaries.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "OpenClaw"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2026.3.11"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-636"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-07T18:10:17Z",
"nvd_published_at": "2026-03-31T12:16:29Z",
"severity": "LOW"
},
"details": "### Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-qvr7-g57c-mrc7. This link is maintained to preserve external references.\n\n### Original Description\nOpenClaw before 2026.3.11 contains a credential fallback vulnerability where unavailable local gateway.auth.token and gateway.auth.password SecretRefs are treated as unset, allowing fallback to remote credentials in local mode. Attackers can exploit misconfigured local auth references to cause CLI and helper paths to select incorrect credential sources, potentially bypassing intended local authentication boundaries.",
"id": "GHSA-vm29-7mq3-9jrg",
"modified": "2026-04-07T18:10:17Z",
"published": "2026-03-31T12:31:35Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-qvr7-g57c-mrc7"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32970"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/openclaw-credential-fallback-logic-bypass-via-unavailable-local-auth-secretrefs"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
],
"summary": "Duplicate Advisory: OpenClaw: Unavailable local auth SecretRefs could fall through to remote credentials in local mode",
"withdrawn": "2026-04-07T18:10:17Z"
}
GHSA-VP96-HXJ8-P424
Vulnerability from github – Published: 2026-03-16 15:15 – Updated: 2026-03-19 18:28If a user provided callback to set_tlsext_servername_callback raised an unhandled exception, this would result in a connection being accepted. If a user was relying on this callback for any security-sensitive behavior, this could allow bypassing it.
Unhandled exceptions now result in rejecting the connection.
Credit to Leury Castillo for reporting this issue.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "pyopenssl"
},
"ranges": [
{
"events": [
{
"introduced": "0.14.0"
},
{
"fixed": "26.0.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-27448"
],
"database_specific": {
"cwe_ids": [
"CWE-636"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-16T15:15:43Z",
"nvd_published_at": "2026-03-18T00:16:19Z",
"severity": "LOW"
},
"details": "If a user provided callback to `set_tlsext_servername_callback` raised an unhandled exception, this would result in a connection being accepted. If a user was relying on this callback for any security-sensitive behavior, this could allow bypassing it.\n\nUnhandled exceptions now result in rejecting the connection.\n\nCredit to **Leury Castillo** for reporting this issue.",
"id": "GHSA-vp96-hxj8-p424",
"modified": "2026-03-19T18:28:02Z",
"published": "2026-03-16T15:15:43Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/pyca/pyopenssl/security/advisories/GHSA-vp96-hxj8-p424"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27448"
},
{
"type": "WEB",
"url": "https://github.com/pyca/pyopenssl/commit/d41a814759a9fb49584ca8ab3f7295de49a85aa0"
},
{
"type": "PACKAGE",
"url": "https://github.com/pyca/pyopenssl"
},
{
"type": "WEB",
"url": "https://github.com/pyca/pyopenssl/blob/358cbf29c4e364c59930e53a270116249581eaa3/CHANGELOG.rst#L27"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U",
"type": "CVSS_V4"
}
],
"summary": "pyOpenSSL allows TLS connection bypass via unhandled callback exception in set_tlsext_servername_callback"
}
GHSA-VPHW-2W3H-QJ8C
Vulnerability from github – Published: 2025-01-14 18:32 – Updated: 2025-01-14 18:32Windows BitLocker Information Disclosure Vulnerability
{
"affected": [],
"aliases": [
"CVE-2025-21210"
],
"database_specific": {
"cwe_ids": [
"CWE-636"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-01-14T18:15:32Z",
"severity": "MODERATE"
},
"details": "Windows BitLocker Information Disclosure Vulnerability",
"id": "GHSA-vphw-2w3h-qj8c",
"modified": "2025-01-14T18:32:02Z",
"published": "2025-01-14T18:32:02Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-21210"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21210"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation
Subdivide and allocate resources and components so that a failure in one part does not affect the entire product.
No CAPEC attack patterns related to this CWE.