CWE-668
DiscouragedExposure of Resource to Wrong Sphere
Abstraction: Class · Status: Draft
The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.
1252 vulnerabilities reference this CWE, most recent first.
GHSA-G863-M67X-WHH5
Vulnerability from github – Published: 2026-05-11 18:31 – Updated: 2026-05-18 15:30Vulnerability in Wikimedia Foundation MediaWiki.
This vulnerability is associated with program files includes/Page/Article.Php.
This issue affects MediaWiki: from * before 1.43.7, 1.44.4, 1.45.2.
{
"affected": [],
"aliases": [
"CVE-2026-34094"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-11T18:16:32Z",
"severity": "LOW"
},
"details": "Vulnerability in Wikimedia Foundation MediaWiki.\n\n This vulnerability is associated with program files includes/Page/Article.Php.\n\n\n\nThis issue affects MediaWiki: from * before 1.43.7, 1.44.4, 1.45.2.",
"id": "GHSA-g863-m67x-whh5",
"modified": "2026-05-18T15:30:33Z",
"published": "2026-05-11T18:31:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34094"
},
{
"type": "WEB",
"url": "https://phabricator.wikimedia.org/T416090"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-G8P2-7WF7-98MQ
Vulnerability from github – Published: 2026-02-02 23:41 – Updated: 2026-02-02 23:41Summary
The Control UI trusts gatewayUrl from the query string without validation and auto-connects on load, sending the stored gateway token in the WebSocket connect payload.
Clicking a crafted link or visiting a malicious site can send the token to an attacker-controlled server. The attacker can then connect to the victim's local gateway, modify config (sandbox, tool policies), and invoke privileged actions, achieving 1-click RCE. This vulnerability is exploitable even on instances configured to listen on loopback only, since the victim's browser initiates the outbound connection.
Details
The root cause is the lack of validation for gatewayUrl combined with auto‑connect behavior on page load. With the change users now need to confirm the new gateway URL in the UI.
Impact
This is a token exfiltration vulnerability that leads to full gateway compromise. It impacts any Moltbot deployment where a user has authenticated to the Control UI. The attacker gains operator-level access to the gateway API, enabling arbitrary config changes and code execution on the gateway host. The attack works even when the gateway binds to loopback because the victim's browser acts as the bridge.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2026.1.28"
},
"package": {
"ecosystem": "npm",
"name": "clawdbot"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2026.1.29"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-25253"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": true,
"github_reviewed_at": "2026-02-02T23:41:05Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "## Summary\n\nThe Control UI trusts `gatewayUrl` from the query string without validation and auto-connects on load, sending the stored gateway token in the WebSocket connect payload.\n\nClicking a crafted link or visiting a malicious site can send the token to an attacker-controlled server. The attacker can then connect to the victim\u0027s local gateway, modify config (sandbox, tool policies), and invoke privileged actions, achieving 1-click RCE. This vulnerability is exploitable even on instances configured to listen on loopback only, since the victim\u0027s browser initiates the outbound connection.\n\n## Details\n\nThe root cause is the lack of validation for `gatewayUrl` combined with auto\u2011connect behavior on page load. With the change users now need to confirm the new gateway URL in the UI.\n\n## Impact\n\nThis is a token exfiltration vulnerability that leads to full gateway compromise. It impacts any Moltbot deployment where a user has authenticated to the Control UI. The attacker gains operator-level access to the gateway API, enabling arbitrary config changes and code execution on the gateway host. The attack works even when the gateway binds to loopback because the victim\u0027s browser acts as the bridge.",
"id": "GHSA-g8p2-7wf7-98mq",
"modified": "2026-02-02T23:41:05Z",
"published": "2026-02-02T23:41:05Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-g8p2-7wf7-98mq"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25253"
},
{
"type": "WEB",
"url": "https://depthfirst.com/post/1-click-rce-to-steal-your-moltbot-data-and-keys"
},
{
"type": "PACKAGE",
"url": "https://github.com/openclaw/openclaw"
},
{
"type": "WEB",
"url": "https://openclaw.ai/blog"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "OpenClaw/Clawdbot has 1-Click RCE via Authentication Token Exfiltration From gatewayUrl"
}
GHSA-G8P8-2V2X-8MHV
Vulnerability from github – Published: 2022-05-24 19:16 – Updated: 2022-07-13 00:01Information disclosure from SendEntry in GitLab starting with 10.8 allowed exposure of full URL of artifacts stored in object-storage with a temporary availability via Rails logs.
{
"affected": [],
"aliases": [
"CVE-2021-39900"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-10-04T17:15:00Z",
"severity": "MODERATE"
},
"details": "Information disclosure from SendEntry in GitLab starting with 10.8 allowed exposure of full URL of artifacts stored in object-storage with a temporary availability via Rails logs.",
"id": "GHSA-g8p8-2v2x-8mhv",
"modified": "2022-07-13T00:01:38Z",
"published": "2022-05-24T19:16:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-39900"
},
{
"type": "WEB",
"url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-39900.json"
},
{
"type": "WEB",
"url": "https://gitlab.com/gitlab-org/gitlab/-/issues/325088"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-G94P-M365-483P
Vulnerability from github – Published: 2022-04-04 00:00 – Updated: 2022-04-13 00:00Verizon LVSKIHP 5G outside devices through 2022-02-15 allow anyone (knowing the device's serial number) to access a CPE admin website, e.g., at the 10.0.0.1 IP address. The password (for the verizon username) is calculated by concatenating the serial number and the model (i.e., the LVSKIHP string), running the sha256sum program, and extracting the first seven characters concatenated with the last seven characters of that SHA-256 value.
{
"affected": [],
"aliases": [
"CVE-2022-28376"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-04-03T04:15:00Z",
"severity": "HIGH"
},
"details": "Verizon LVSKIHP 5G outside devices through 2022-02-15 allow anyone (knowing the device\u0027s serial number) to access a CPE admin website, e.g., at the 10.0.0.1 IP address. The password (for the verizon username) is calculated by concatenating the serial number and the model (i.e., the LVSKIHP string), running the sha256sum program, and extracting the first seven characters concatenated with the last seven characters of that SHA-256 value.",
"id": "GHSA-g94p-m365-483p",
"modified": "2022-04-13T00:00:50Z",
"published": "2022-04-04T00:00:55Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-28376"
},
{
"type": "WEB",
"url": "https://github.com/JousterL/SecWriteups/blob/main/Verizon%20LVSKIHP%205G%20Modem/readme.md"
},
{
"type": "WEB",
"url": "https://www.reddit.com/r/verizon/comments/sstq4c/5g_home_internet_dropping_out/hx3ir0s"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-G97H-G5HQ-W73P
Vulnerability from github – Published: 2022-07-05 00:00 – Updated: 2022-07-13 00:01Address information disclosure vulnerability in Cybozu Garoon 4.2.0 to 5.5.1 allows a remote authenticated attacker to obtain some data of Address.
{
"affected": [],
"aliases": [
"CVE-2022-29467"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-07-04T07:15:00Z",
"severity": "MODERATE"
},
"details": "Address information disclosure vulnerability in Cybozu Garoon 4.2.0 to 5.5.1 allows a remote authenticated attacker to obtain some data of Address.",
"id": "GHSA-g97h-g5hq-w73p",
"modified": "2022-07-13T00:01:53Z",
"published": "2022-07-05T00:00:56Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-29467"
},
{
"type": "WEB",
"url": "https://cs.cybozu.co.jp/2022/007429.html"
},
{
"type": "WEB",
"url": "https://jvn.jp/en/jp/JVN73897863/index.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-G9GJ-X94C-4PVG
Vulnerability from github – Published: 2022-05-13 01:03 – Updated: 2022-05-13 01:03DedeCMS 5.7 allows remote attackers to discover the full path via a direct request for include/downmix.inc.php or inc/inc_archives_functions.php.
{
"affected": [],
"aliases": [
"CVE-2018-6910"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-02-13T21:29:00Z",
"severity": "HIGH"
},
"details": "DedeCMS 5.7 allows remote attackers to discover the full path via a direct request for include/downmix.inc.php or inc/inc_archives_functions.php.",
"id": "GHSA-g9gj-x94c-4pvg",
"modified": "2022-05-13T01:03:34Z",
"published": "2022-05-13T01:03:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-6910"
},
{
"type": "WEB",
"url": "https://github.com/kongxin520/DedeCMS/blob/master/DedeCMS_5.7_Bug.md"
},
{
"type": "WEB",
"url": "https://kongxin.gitbook.io/dedecms-5-7-bug"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-G9M8-5243-X34C
Vulnerability from github – Published: 2022-05-24 19:08 – Updated: 2022-07-13 00:01SAP NetWeaver ABAP Server and ABAP Platform, versions - 700, 702, 730, 731, 804, 740, 750, 784, expose functions to external which can lead to information disclosure.
{
"affected": [],
"aliases": [
"CVE-2021-33677"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-07-14T12:15:00Z",
"severity": "HIGH"
},
"details": "SAP NetWeaver ABAP Server and ABAP Platform, versions - 700, 702, 730, 731, 804, 740, 750, 784, expose functions to external which can lead to information disclosure.",
"id": "GHSA-g9m8-5243-x34c",
"modified": "2022-07-13T00:01:25Z",
"published": "2022-05-24T19:08:03Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-33677"
},
{
"type": "WEB",
"url": "https://launchpad.support.sap.com/#/notes/3044754"
},
{
"type": "WEB",
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=580617506"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-G9RQ-P8H7-MCJ8
Vulnerability from github – Published: 2022-05-24 17:48 – Updated: 2022-05-24 17:48An authentication bypass vulnerability in the Juniper Networks Paragon Active Assurance Control Center may allow an attacker with specific information about the deployment to mimic an already registered Test Agent and access its configuration including associated inventory details. If the issue occurs, the affected Test Agent will not be able to connect to the Control Center. This issue affects Juniper Networks Paragon Active Assurance Control Center All versions prior to 2.35.6; 2.36 versions prior to 2.36.2.
{
"affected": [],
"aliases": [
"CVE-2021-0232"
],
"database_specific": {
"cwe_ids": [
"CWE-290",
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-04-22T20:15:00Z",
"severity": "HIGH"
},
"details": "An authentication bypass vulnerability in the Juniper Networks Paragon Active Assurance Control Center may allow an attacker with specific information about the deployment to mimic an already registered Test Agent and access its configuration including associated inventory details. If the issue occurs, the affected Test Agent will not be able to connect to the Control Center. This issue affects Juniper Networks Paragon Active Assurance Control Center All versions prior to 2.35.6; 2.36 versions prior to 2.36.2.",
"id": "GHSA-g9rq-p8h7-mcj8",
"modified": "2022-05-24T17:48:11Z",
"published": "2022-05-24T17:48:11Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-0232"
},
{
"type": "WEB",
"url": "https://kb.juniper.net/JSA11127"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TNPCV3KRDI5PLLLKADFVIOHACQJLZMLI"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-GC37-9G7F-96FX
Vulnerability from github – Published: 2021-11-23 18:17 – Updated: 2022-08-11 18:41In Apache Ozone before 1.2.0, Recon HTTP endpoints provide access to OM, SCM and Datanode metadata. Due to a bug, any unauthenticated user can access the data from these endpoints.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.ozone:ozone-main"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.2.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-41532"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": true,
"github_reviewed_at": "2021-11-22T18:38:16Z",
"nvd_published_at": "2021-11-19T10:15:00Z",
"severity": "MODERATE"
},
"details": "In Apache Ozone before 1.2.0, Recon HTTP endpoints provide access to OM, SCM and Datanode metadata. Due to a bug, any unauthenticated user can access the data from these endpoints.",
"id": "GHSA-gc37-9g7f-96fx",
"modified": "2022-08-11T18:41:20Z",
"published": "2021-11-23T18:17:50Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-41532"
},
{
"type": "WEB",
"url": "https://mail-archives.apache.org/mod_mbox/ozone-dev/202111.mbox/%3Ce0bc6598-9669-b897-fc28-de8a896e36aa%40apache.org%3E"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2021/11/19/8"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Apache Ozone exposes OM, SCM and Datanode metadata"
}
GHSA-GC43-CVGG-XJPV
Vulnerability from github – Published: 2024-05-16 21:32 – Updated: 2024-05-16 21:32Exposure of resource to wrong sphere in some Intel(R) DTT software installers may allow an authenticated user to potentially enable escalation of privilege via local access.
{
"affected": [],
"aliases": [
"CVE-2024-21813"
],
"database_specific": {
"cwe_ids": [
"CWE-269",
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-05-16T21:16:03Z",
"severity": "HIGH"
},
"details": "Exposure of resource to wrong sphere in some Intel(R) DTT software installers may allow an authenticated user to potentially enable escalation of privilege via local access.",
"id": "GHSA-gc43-cvgg-xjpv",
"modified": "2024-05-16T21:32:01Z",
"published": "2024-05-16T21:32:01Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21813"
},
{
"type": "WEB",
"url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00984.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:H",
"type": "CVSS_V3"
}
]
}
No mitigation information available for this CWE.
No CAPEC attack patterns related to this CWE.