CWE-294
Authentication Bypass by Capture-replay
A capture-replay flaw exists when the design of the product makes it possible for a malicious user to sniff network traffic and bypass authentication by replaying it to the server in question to the same effect as the original message (or with minor changes).
CVE-2026-32987 (GCVE-0-2026-32987)
Vulnerability from cvelistv5 – Published: 2026-03-29 12:44 – Updated: 2026-03-30 14:11
VLAI
Title
OpenClaw < 2026.3.13 - Bootstrap Setup Code Replay via Device Pairing
Summary
OpenClaw before 2026.3.13 allows bootstrap setup codes to be replayed during device pairing verification in src/infra/device-bootstrap.ts. Attackers can verify a valid bootstrap code multiple times before approval to escalate pending pairing scopes, including privilege escalation to operator.admin.
Severity
9.8 (Critical)
CWE
- CWE-294 - Authentication Bypass by Capture-replay
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/openclaw/openclaw/security/adv… | third-party-advisory |
| https://github.com/openclaw/openclaw/commit/1803d… | patch |
| https://www.vulncheck.com/advisories/openclaw-boo… | third-party-advisory |
Impacted products
Date Public
2026-03-14 00:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-32987",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-30T14:11:50.326616Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-30T14:11:58.610Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"packageURL": "pkg:npm/openclaw",
"product": "OpenClaw",
"vendor": "OpenClaw",
"versions": [
{
"lessThan": "2026.3.13",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "2026.3.13",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"versionEndExcluding": "2026.3.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "tdjackey"
}
],
"datePublic": "2026-03-14T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "OpenClaw before 2026.3.13 allows bootstrap setup codes to be replayed during device pairing verification in src/infra/device-bootstrap.ts. Attackers can verify a valid bootstrap code multiple times before approval to escalate pending pairing scopes, including privilege escalation to operator.admin."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS"
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-294",
"description": "Authentication Bypass by Capture-replay",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-29T12:44:29.705Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"name": "GitHub Security Advisory (GHSA-63f5-hhc7-cx6p)",
"tags": [
"third-party-advisory"
],
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-63f5-hhc7-cx6p"
},
{
"name": "Patch Commit",
"tags": [
"patch"
],
"url": "https://github.com/openclaw/openclaw/commit/1803d16d5cec970c54b0e1ac46b31b1cbade335c"
},
{
"name": "VulnCheck Advisory: OpenClaw \u003c 2026.3.13 - Bootstrap Setup Code Replay via Device Pairing",
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/openclaw-bootstrap-setup-code-replay-via-device-pairing"
}
],
"title": "OpenClaw \u003c 2026.3.13 - Bootstrap Setup Code Replay via Device Pairing",
"x_generator": {
"engine": "vulncheck"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2026-32987",
"datePublished": "2026-03-29T12:44:29.705Z",
"dateReserved": "2026-03-17T11:31:56.956Z",
"dateUpdated": "2026-03-30T14:11:58.610Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-34209 (GCVE-0-2026-34209)
Vulnerability from cvelistv5 – Published: 2026-03-31 14:10 – Updated: 2026-04-02 15:13
VLAI
Title
mppx: Tempo has a session close voucher bypass vulnerability due to settled amount equality
Summary
mppx is a TypeScript interface for machine payments protocol. Prior to version 0.4.11, the tempo/session cooperative close handler validated the close voucher amount using "<" instead of "<=" against the on-chain settled amount. An attacker could submit a close voucher exactly equal to the settled amount, which would be accepted without committing any new funds, effectively closing or griefing the channel for free. This issue has been patched in version 0.4.11.
Severity
7.5 (High)
CWE
- CWE-294 - Authentication Bypass by Capture-replay
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/wevm/mppx/security/advisories/… | x_refsource_CONFIRM |
| https://github.com/wevm/mppx/commit/94088246ee18f… | x_refsource_MISC |
| https://github.com/wevm/mppx/releases/tag/mppx@0.4.11 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-34209",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-02T15:13:21.208040Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-02T15:13:32.047Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "mppx",
"vendor": "wevm",
"versions": [
{
"status": "affected",
"version": "\u003c 0.4.11"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "mppx is a TypeScript interface for machine payments protocol. Prior to version 0.4.11, the tempo/session cooperative close handler validated the close voucher amount using \"\u003c\" instead of \"\u003c=\" against the on-chain settled amount. An attacker could submit a close voucher exactly equal to the settled amount, which would be accepted without committing any new funds, effectively closing or griefing the channel for free. This issue has been patched in version 0.4.11."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-294",
"description": "CWE-294: Authentication Bypass by Capture-replay",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-31T14:10:46.416Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/wevm/mppx/security/advisories/GHSA-mv9j-8jvg-j8mr",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/wevm/mppx/security/advisories/GHSA-mv9j-8jvg-j8mr"
},
{
"name": "https://github.com/wevm/mppx/commit/94088246ee18f21b5d6be40d9e7a464f5a280bfb",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/wevm/mppx/commit/94088246ee18f21b5d6be40d9e7a464f5a280bfb"
},
{
"name": "https://github.com/wevm/mppx/releases/tag/mppx@0.4.11",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/wevm/mppx/releases/tag/mppx@0.4.11"
}
],
"source": {
"advisory": "GHSA-mv9j-8jvg-j8mr",
"discovery": "UNKNOWN"
},
"title": "mppx: Tempo has a session close voucher bypass vulnerability due to settled amount equality"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-34209",
"datePublished": "2026-03-31T14:10:46.416Z",
"dateReserved": "2026-03-26T15:57:52.324Z",
"dateUpdated": "2026-04-02T15:13:32.047Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-35618 (GCVE-0-2026-35618)
Vulnerability from cvelistv5 – Published: 2026-04-09 21:26 – Updated: 2026-04-10 12:33 X_Open Source
VLAI
Title
OpenClaw < 2026.3.23 - Replay Identity Drift via Query-Only Variants in Plivo V2 Verification
Summary
OpenClaw before 2026.3.23 contains a replay identity vulnerability in Plivo V2 signature verification that allows attackers to bypass replay protection by modifying query parameters. The verification path derives replay keys from the full URL including query strings instead of the canonicalized base URL, enabling attackers to mint new verified request keys through unsigned query-only changes to signed requests.
Severity
CWE
- CWE-294 - Authentication Bypass by Capture-replay
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/openclaw/openclaw/security/adv… | third-party-advisory |
| https://github.com/openclaw/openclaw/commit/630f1… | patch |
| https://github.com/openclaw/openclaw/commit/b0ce5… | patch |
| https://www.vulncheck.com/advisories/openclaw-rep… | third-party-advisory |
Impacted products
Date Public
2026-03-24 00:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-35618",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-10T12:33:06.772433Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-10T12:33:14.731Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"packageURL": "pkg:npm/openclaw",
"product": "OpenClaw",
"vendor": "OpenClaw",
"versions": [
{
"lessThan": "2026.3.23",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "2026.3.23",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"versionEndExcluding": "2026.3.23",
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "smaeljaish771"
},
{
"lang": "en",
"type": "finder",
"value": "KeenSecurityLab"
}
],
"datePublic": "2026-03-24T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "OpenClaw before 2026.3.23 contains a replay identity vulnerability in Plivo V2 signature verification that allows attackers to bypass replay protection by modifying query parameters. The verification path derives replay keys from the full URL including query strings instead of the canonicalized base URL, enabling attackers to mint new verified request keys through unsigned query-only changes to signed requests."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "HIGH",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.3,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-294",
"description": "CWE-294 Authentication Bypass by Capture-replay",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-09T21:26:51.509Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"name": "GitHub Security Advisory (GHSA-cg6c-q2hx-69h7)",
"tags": [
"third-party-advisory"
],
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-cg6c-q2hx-69h7"
},
{
"name": "Patch Commit #1",
"tags": [
"patch"
],
"url": "https://github.com/openclaw/openclaw/commit/630f1479c44f78484dfa21bb407cbe6f171dac87"
},
{
"name": "Patch Commit #2",
"tags": [
"patch"
],
"url": "https://github.com/openclaw/openclaw/commit/b0ce53a79cf63834660270513e26d921899b4e5b"
},
{
"name": "VulnCheck Advisory: OpenClaw \u003c 2026.3.23 - Replay Identity Drift via Query-Only Variants in Plivo V2 Verification",
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/openclaw-replay-identity-drift-via-query-only-variants-in-plivo-v2-verification"
}
],
"tags": [
"x_open-source"
],
"title": "OpenClaw \u003c 2026.3.23 - Replay Identity Drift via Query-Only Variants in Plivo V2 Verification",
"x_generator": {
"engine": "vulncheck"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2026-35618",
"datePublished": "2026-04-09T21:26:51.509Z",
"dateReserved": "2026-04-04T12:28:49.756Z",
"dateUpdated": "2026-04-10T12:33:14.731Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-41351 (GCVE-0-2026-41351)
Vulnerability from cvelistv5 – Published: 2026-04-23 21:58 – Updated: 2026-04-24 13:33 X_Open Source
VLAI
Title
OpenClaw < 2026.3.31 - Webhook Replay Detection Bypass via Base64 Signature Re-encoding
Summary
OpenClaw before 2026.3.31 contains a replay detection bypass vulnerability in webhook signature handling that treats Base64 and Base64URL encoded signatures as distinct requests. Attackers can re-encode Telnyx webhook signatures to bypass replay detection while maintaining valid signature verification.
Severity
5.3 (Medium)
CWE
- CWE-294 - Authentication Bypass by Capture-replay
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/openclaw/openclaw/security/adv… | vendor-advisory |
| https://github.com/openclaw/openclaw/commit/ad776… | patch |
| https://www.vulncheck.com/advisories/openclaw-web… | third-party-advisory |
Impacted products
Date Public
2026-03-31 00:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-41351",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-24T13:33:40.282038Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-24T13:33:45.799Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"packageURL": "pkg:npm/openclaw",
"product": "OpenClaw",
"vendor": "OpenClaw",
"versions": [
{
"lessThan": "2026.3.31",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "2026.3.31",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"versionEndExcluding": "2026.3.31",
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "AntAISecurityLab"
}
],
"datePublic": "2026-03-31T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "OpenClaw before 2026.3.31 contains a replay detection bypass vulnerability in webhook signature handling that treats Base64 and Base64URL encoded signatures as distinct requests. Attackers can re-encode Telnyx webhook signatures to bypass replay detection while maintaining valid signature verification."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-294",
"description": "CWE-294 Authentication Bypass by Capture-replay",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-23T21:58:11.440Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"name": "GitHub Security Advisory (GHSA-37v6-fxx8-xjmx)",
"tags": [
"vendor-advisory"
],
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-37v6-fxx8-xjmx"
},
{
"name": "Patch Commit",
"tags": [
"patch"
],
"url": "https://github.com/openclaw/openclaw/commit/ad77666054651c1fd77b1dc60fd6a8db6600a29a"
},
{
"name": "VulnCheck Advisory: OpenClaw \u003c 2026.3.31 - Webhook Replay Detection Bypass via Base64 Signature Re-encoding",
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/openclaw-webhook-replay-detection-bypass-via-base64-signature-re-encoding"
}
],
"tags": [
"x_open-source"
],
"title": "OpenClaw \u003c 2026.3.31 - Webhook Replay Detection Bypass via Base64 Signature Re-encoding",
"x_generator": {
"engine": "vulncheck"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2026-41351",
"datePublished": "2026-04-23T21:58:11.440Z",
"dateReserved": "2026-04-20T14:07:26.648Z",
"dateUpdated": "2026-04-24T13:33:45.799Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-42602 (GCVE-0-2026-42602)
Vulnerability from cvelistv5 – Published: 2026-05-13 20:12 – Updated: 2026-05-14 12:52
VLAI
Title
azureauthextension Authenticate method does not validate bearer tokens, allowing auth bypass via replay
Summary
azureauthextension is the Azure Authenticator Extension. From 0.124.0 to 0.150.0, a server-side authentication bypass in azureauthextension allows any party who holds a single valid Azure access token for any scope the collector's configured identity can mint for to authenticate to any OpenTelemetry receiver that uses auth: azure_auth. The extension's Authenticate method does not validate incoming bearer tokens as JWTs. Instead, it calls its own configured credential to obtain an access token and compares the client's token to the result with string equality — and the scope for that server-side token request is taken from the client-supplied Host header. As a result, a token minted for any Azure resource the service principal has ever been issued a token for (ARM, Graph, Key Vault, Storage, etc.) will authenticate to the collector if the attacker picks a matching Host. Tokens are replayable for the full issued lifetime (commonly several hours for managed identity tokens).
Severity
8.1 (High)
CWE
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/open-telemetry/opentelemetry-c… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| open-telemetry | opentelemetry-collector-contrib |
Affected:
>= 0.124.0, <= 0.150.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-42602",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-14T12:51:31.756562Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-14T12:52:53.551Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/open-telemetry/opentelemetry-collector-contrib/security/advisories/GHSA-pjv4-3c63-699f"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "opentelemetry-collector-contrib",
"vendor": "open-telemetry",
"versions": [
{
"status": "affected",
"version": "\u003e= 0.124.0, \u003c= 0.150.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "azureauthextension is the Azure Authenticator Extension. From 0.124.0 to 0.150.0, a server-side authentication bypass in azureauthextension allows any party who holds a single valid Azure access token for any scope the collector\u0027s configured identity can mint for to authenticate to any OpenTelemetry receiver that uses auth: azure_auth. The extension\u0027s Authenticate method does not validate incoming bearer tokens as JWTs. Instead, it calls its own configured credential to obtain an access token and compares the client\u0027s token to the result with string equality \u2014 and the scope for that server-side token request is taken from the client-supplied Host header. As a result, a token minted for any Azure resource the service principal has ever been issued a token for (ARM, Graph, Key Vault, Storage, etc.) will authenticate to the collector if the attacker picks a matching Host. Tokens are replayable for the full issued lifetime (commonly several hours for managed identity tokens)."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-208",
"description": "CWE-208: Observable Timing Discrepancy",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287: Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-290",
"description": "CWE-290: Authentication Bypass by Spoofing",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-294",
"description": "CWE-294: Authentication Bypass by Capture-replay",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-347",
"description": "CWE-347: Improper Verification of Cryptographic Signature",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-13T20:12:18.936Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/open-telemetry/opentelemetry-collector-contrib/security/advisories/GHSA-pjv4-3c63-699f",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/open-telemetry/opentelemetry-collector-contrib/security/advisories/GHSA-pjv4-3c63-699f"
}
],
"source": {
"advisory": "GHSA-pjv4-3c63-699f",
"discovery": "UNKNOWN"
},
"title": "azureauthextension Authenticate method does not validate bearer tokens, allowing auth bypass via replay"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-42602",
"datePublished": "2026-05-13T20:12:18.936Z",
"dateReserved": "2026-04-29T00:31:15.725Z",
"dateUpdated": "2026-05-14T12:52:53.551Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-4583 (GCVE-0-2026-4583)
Vulnerability from cvelistv5 – Published: 2026-03-23 10:31 – Updated: 2026-03-25 14:04
VLAI
Title
Shenzhen HCC Technology MPOS M6 PLUS Bluetooth authentication replay
Summary
A vulnerability was detected in Shenzhen HCC Technology MPOS M6 PLUS 1V.31-N. Affected by this issue is some unknown functionality of the component Bluetooth Handler. Performing a manipulation results in authentication bypass by capture-replay. The attack must originate from the local network. The attack is considered to have high complexity. The exploitation is known to be difficult. The vendor was contacted early about this disclosure but did not respond in any way.
Severity
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://vuldb.com/?id.352420 | vdb-entry |
| https://vuldb.com/?ctiid.352420 | signaturepermissions-required |
| https://vuldb.com/?submit.775434 | third-party-advisory |
| https://github.com/Davim09/m6plusexploit/blob/mai… | exploit |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Shenzhen HCC Technology | MPOS M6 PLUS |
Affected:
1V.31-N
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-4583",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-25T14:04:29.007542Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-25T14:04:39.752Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"modules": [
"Bluetooth Handler"
],
"product": "MPOS M6 PLUS",
"vendor": "Shenzhen HCC Technology",
"versions": [
{
"status": "affected",
"version": "1V.31-N"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "davimo (VulDB User)"
},
{
"lang": "en",
"type": "coordinator",
"value": "VulDB"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was detected in Shenzhen HCC Technology MPOS M6 PLUS 1V.31-N. Affected by this issue is some unknown functionality of the component Bluetooth Handler. Performing a manipulation results in authentication bypass by capture-replay. The attack must originate from the local network. The attack is considered to have high complexity. The exploitation is known to be difficult. The vendor was contacted early about this disclosure but did not respond in any way."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 2.3,
"baseSeverity": "LOW",
"vectorString": "CVSS:4.0/AV:A/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 4.3,
"vectorString": "AV:A/AC:H/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-294",
"description": "Authentication Bypass by Capture-replay",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-23T10:31:32.192Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-352420 | Shenzhen HCC Technology MPOS M6 PLUS Bluetooth authentication replay",
"tags": [
"vdb-entry"
],
"url": "https://vuldb.com/?id.352420"
},
{
"name": "VDB-352420 | CTI Indicators (IOB, IOC, TTP)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.352420"
},
{
"name": "Submit #775434 | Shenzhen HCC Technology Co., Ltd M6PLUS MPOS M6PLUS-FW-1V.31-N Missing Anti-Replay Protection",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.775434"
},
{
"tags": [
"exploit"
],
"url": "https://github.com/Davim09/m6plusexploit/blob/main/docs/CVE-2-Replay.md"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-03-22T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-03-22T01:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-03-22T10:04:13.000Z",
"value": "VulDB entry last update"
}
],
"title": "Shenzhen HCC Technology MPOS M6 PLUS Bluetooth authentication replay"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-4583",
"datePublished": "2026-03-23T10:31:32.192Z",
"dateReserved": "2026-03-22T08:59:02.251Z",
"dateUpdated": "2026-03-25T14:04:39.752Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46538 (GCVE-0-2026-46538)
Vulnerability from cvelistv5 – Published: 2026-05-27 21:56 – Updated: 2026-05-28 12:38
VLAI
Title
Microsoft UFO accepts cross-device TASK_END messages by session_id only, allowing peer task-result injection
Summary
Microsoft UFO open-source framework for intelligent automation across devices and platforms. In 3.0.1-4-ge2626659, Microsoft UFO's constellation client tracks pending task responses by session_id only and does not verify that a TASK_END message came from the device that originally received the task. When the constellation sends a task to a target device, it records a pending Future under a session key. The pending task record stores the expected device ID, but the completion path ignores that binding. If another authenticated peer device sends a forged TASK_END with the same session_id, the constellation accepts the response and completes the victim device's pending Future with attacker-controlled result data. This is an authenticated cross-device task-result injection issue.
Severity
5.9 (Medium)
CWE
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/microsoft/UFO/security/advisor… | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-46538",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-28T12:37:58.013066Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-28T12:38:02.790Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/microsoft/UFO/security/advisories/GHSA-wmq2-74rj-7pjc"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "UFO",
"vendor": "microsoft",
"versions": [
{
"status": "affected",
"version": "3.0.1-4-ge2626659"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Microsoft UFO open-source framework for intelligent automation across devices and platforms. In 3.0.1-4-ge2626659, Microsoft UFO\u0027s constellation client tracks pending task responses by session_id only and does not verify that a TASK_END message came from the device that originally received the task. When the constellation sends a task to a target device, it records a pending Future under a session key. The pending task record stores the expected device ID, but the completion path ignores that binding. If another authenticated peer device sends a forged TASK_END with the same session_id, the constellation accepts the response and completes the victim device\u0027s pending Future with attacker-controlled result data. This is an authenticated cross-device task-result injection issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-294",
"description": "CWE-294: Authentication Bypass by Capture-replay",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-345",
"description": "CWE-345: Insufficient Verification of Data Authenticity",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-27T21:56:55.361Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/microsoft/UFO/security/advisories/GHSA-wmq2-74rj-7pjc",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/microsoft/UFO/security/advisories/GHSA-wmq2-74rj-7pjc"
}
],
"source": {
"advisory": "GHSA-wmq2-74rj-7pjc",
"discovery": "UNKNOWN"
},
"title": "Microsoft UFO accepts cross-device TASK_END messages by session_id only, allowing peer task-result injection"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-46538",
"datePublished": "2026-05-27T21:56:55.361Z",
"dateReserved": "2026-05-14T20:42:31.368Z",
"dateUpdated": "2026-05-28T12:38:02.790Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-49322 (GCVE-0-2026-49322)
Vulnerability from cvelistv5 – Published: 2026-05-29 07:29 – Updated: 2026-05-29 15:01
VLAI
Title
Indian Scout Bobber 2025 Infotainment-to-WCM weak authentication allows recovery of user PIN from observed exchange
Summary
Weak authentication in the Wireless Control Module (WCM) of the Indian Motorcycle Scout Bobber + Tech 2025 model year allows an adjacent-network attacker with read access to the in-vehicle network to recover the user-set unlock PIN by passively observing a single PIN authentication exchange. The Infotainment Digital Round display computes its response using a non-cryptographic operation rather than a cryptographic challenge-response, so the PIN is mathematically derivable from one captured exchange, defeating the motorcycle's primary user-authentication control. Specific protocol details have been withheld pending vendor remediation.
Severity
4.3 (Medium)
CWE
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://www.asrg.io/security-advisories/cve-2026-… | third-party-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Indian Motorcycle (Polaris Inc.) | Scout Bobber + Tech |
Affected:
2025
(model-year)
|
Date Public
2026-05-29 15:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-49322",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-29T15:01:05.171770Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-29T15:01:20.202Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"modules": [
"Wireless Control Module (WCM)",
"Infotainment / Digital Round"
],
"platforms": [
"OEM Motorcycle"
],
"product": "Scout Bobber + Tech",
"vendor": "Indian Motorcycle (Polaris Inc.)",
"versions": [
{
"status": "affected",
"version": "2025",
"versionType": "model-year"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Scott Sheahan, Rustic Security LLC"
}
],
"datePublic": "2026-05-29T15:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eWeak authentication in the Wireless Control Module (WCM) of the Indian Motorcycle Scout Bobber + Tech 2025 model year allows an adjacent-network attacker with read access to the in-vehicle network to recover the user-set unlock PIN by passively observing a single PIN authentication exchange. The Infotainment Digital Round display computes its response using a non-cryptographic operation rather than a cryptographic challenge-response, so the PIN is mathematically derivable from one captured exchange, defeating the motorcycle\u0027s primary user-authentication control. Specific protocol details have been withheld pending vendor remediation.\u003c/p\u003e"
}
],
"value": "Weak authentication in the Wireless Control Module (WCM) of the Indian Motorcycle Scout Bobber + Tech 2025 model year allows an adjacent-network attacker with read access to the in-vehicle network to recover the user-set unlock PIN by passively observing a single PIN authentication exchange. The Infotainment Digital Round display computes its response using a non-cryptographic operation rather than a cryptographic challenge-response, so the PIN is mathematically derivable from one captured exchange, defeating the motorcycle\u0027s primary user-authentication control. Specific protocol details have been withheld pending vendor remediation."
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en",
"value": "Cryptanalysis"
}
]
},
{
"descriptions": [
{
"lang": "en",
"value": "Authentication Abuse"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "PHYSICAL",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "PHYSICAL",
"baseScore": 4.1,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:P/AC:L/AT:P/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1390",
"description": "CWE-1390 Weak Authentication",
"lang": "en",
"type": "CWE"
},
{
"cweId": "CWE-327",
"description": "CWE-327 Use of a Broken or Risky Cryptographic Algorithm",
"lang": "en",
"type": "CWE"
},
{
"cweId": "CWE-294",
"description": "CWE-294 Authentication Bypass by Capture-Replay",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-29T13:45:48.973Z",
"orgId": "c15abc07-96a9-4d11-a503-5d621bfe42ba",
"shortName": "ASRG"
},
"references": [
{
"tags": [
"third-party-advisory"
],
"url": "https://www.asrg.io/security-advisories/cve-2026-49322-indian-scout-infotainment-wcm-weak-authentication"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eReplace the non-cryptographic response computation with a digital signature (for example ECDSA P-256) or an HMAC over a fresh per-session random nonce, bound to a stable per-vehicle identifier to prevent cross-bike replay.\u003c/p\u003e"
}
],
"value": "Replace the non-cryptographic response computation with a digital signature (for example ECDSA P-256) or an HMAC over a fresh per-session random nonce, bound to a stable per-vehicle identifier to prevent cross-bike replay."
}
],
"source": {
"discovery": "EXTERNAL"
},
"timeline": [
{
"lang": "en",
"time": "2025-03-26T00:00:00.000Z",
"value": "Reported to Indian Motorcycle by Rustic Security LLC (responsible disclosure)"
}
],
"title": "Indian Scout Bobber 2025 Infotainment-to-WCM weak authentication allows recovery of user PIN from observed exchange",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "c15abc07-96a9-4d11-a503-5d621bfe42ba",
"assignerShortName": "ASRG",
"cveId": "CVE-2026-49322",
"datePublished": "2026-05-29T07:29:55.546Z",
"dateReserved": "2026-05-29T07:26:43.199Z",
"dateUpdated": "2026-05-29T15:01:20.202Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-9398 (GCVE-0-2026-9398)
Vulnerability from cvelistv5 – Published: 2026-05-24 20:45 – Updated: 2026-05-29 18:17
VLAI
Title
Besen BS20 EV Charging Station BLE/WiFi authentication replay
Summary
A security vulnerability has been detected in Besen BS20 EV Charging Station up to 20260426. This affects an unknown part of the component BLE/WiFi. Such manipulation leads to authentication bypass by capture-replay. The attack must be carried out from within the local network. Attacks of this nature are highly complex. It is indicated that the exploitability is difficult. The original disclosure mentions, that "[t]hese vulnerabilities have been reported to Besen and we have received their acknowlegement that they are reviewing this as of April 2026."
Severity
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://vuldb.com/vuln/365379 | vdb-entry |
| https://vuldb.com/vuln/365379/cti | signaturepermissions-required |
| https://vuldb.com/submit/813577 | third-party-advisory |
| https://github.com/carfeii/besen#finding-5-unauth… | related |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Besen | BS20 EV Charging Station |
Affected:
20260426
cpe:2.3:a:besen:bs20_ev_charging_station:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-9398",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-29T18:17:43.949035Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-29T18:17:55.433Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:besen:bs20_ev_charging_station:*:*:*:*:*:*:*:*"
],
"modules": [
"BLE/WiFi"
],
"product": "BS20 EV Charging Station",
"vendor": "Besen",
"versions": [
{
"status": "affected",
"version": "20260426"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "carfeii (VulDB User)"
},
{
"lang": "en",
"type": "coordinator",
"value": "VulDB CNA Team"
}
],
"descriptions": [
{
"lang": "en",
"value": "A security vulnerability has been detected in Besen BS20 EV Charging Station up to 20260426. This affects an unknown part of the component BLE/WiFi. Such manipulation leads to authentication bypass by capture-replay. The attack must be carried out from within the local network. Attacks of this nature are highly complex. It is indicated that the exploitability is difficult. The original disclosure mentions, that \"[t]hese vulnerabilities have been reported to Besen and we have received their acknowlegement that they are reviewing this as of April 2026.\""
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 2.3,
"baseSeverity": "LOW",
"vectorString": "CVSS:4.0/AV:A/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 3.1,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 3.1,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 1.8,
"vectorString": "AV:A/AC:H/Au:N/C:N/I:P/A:N/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-294",
"description": "Authentication Bypass by Capture-replay",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-24T20:45:08.425Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-365379 | Besen BS20 EV Charging Station BLE/WiFi authentication replay",
"tags": [
"vdb-entry"
],
"url": "https://vuldb.com/vuln/365379"
},
{
"name": "VDB-365379 | CTI Indicators (IOB, IOC, TTP)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/365379/cti"
},
{
"name": "Submit #813577 | Besen EV Charging Station BS20 EV Charger Improper Authorization",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/813577"
},
{
"tags": [
"related"
],
"url": "https://github.com/carfeii/besen#finding-5-unauthorized-tampering-of-charger-commands"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-05-24T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-05-24T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-05-24T08:24:19.000Z",
"value": "VulDB entry last update"
}
],
"title": "Besen BS20 EV Charging Station BLE/WiFi authentication replay"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-9398",
"datePublished": "2026-05-24T20:45:08.425Z",
"dateReserved": "2026-05-24T06:19:03.634Z",
"dateUpdated": "2026-05-29T18:17:55.433Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Mitigation
Phase: Architecture and Design
Description:
- Utilize some sequence or time stamping functionality along with a checksum which takes this into account in order to ensure that messages can be parsed only once.
Mitigation
Phase: Architecture and Design
Description:
- Since any attacker who can listen to traffic can see sequence numbers, it is necessary to sign messages with some kind of cryptography to ensure that sequence numbers are not simply doctored along with content.
CAPEC-102: Session Sidejacking
Session sidejacking takes advantage of an unencrypted communication channel between a victim and target system. The attacker sniffs traffic on a network looking for session tokens in unencrypted traffic. Once a session token is captured, the attacker performs malicious actions by using the stolen token with the targeted application to impersonate the victim. This attack is a specific method of session hijacking, which is exploiting a valid session token to gain unauthorized access to a target system or information. Other methods to perform a session hijacking are session fixation, cross-site scripting, or compromising a user or server machine and stealing the session token.
CAPEC-509: Kerberoasting
Through the exploitation of how service accounts leverage Kerberos authentication with Service Principal Names (SPNs), the adversary obtains and subsequently cracks the hashed credentials of a service account target to exploit its privileges. The Kerberos authentication protocol centers around a ticketing system which is used to request/grant access to services and to then access the requested services. As an authenticated user, the adversary may request Active Directory and obtain a service ticket with portions encrypted via RC4 with the private key of the authenticated account. By extracting the local ticket and saving it disk, the adversary can brute force the hashed value to reveal the target account credentials.
CAPEC-555: Remote Services with Stolen Credentials
This pattern of attack involves an adversary that uses stolen credentials to leverage remote services such as RDP, telnet, SSH, and VNC to log into a system. Once access is gained, any number of malicious activities could be performed.
CAPEC-561: Windows Admin Shares with Stolen Credentials
An adversary guesses or obtains (i.e. steals or purchases) legitimate Windows administrator credentials (e.g. userID/password) to access Windows Admin Shares on a local machine or within a Windows domain.
CAPEC-60: Reusing Session IDs (aka Session Replay)
This attack targets the reuse of valid session ID to spoof the target system in order to gain privileges. The attacker tries to reuse a stolen session ID used previously during a transaction to perform spoofing and session hijacking. Another name for this type of attack is Session Replay.
CAPEC-644: Use of Captured Hashes (Pass The Hash)
An adversary obtains (i.e. steals or purchases) legitimate Windows domain credential hash values to access systems within the domain that leverage the Lan Man (LM) and/or NT Lan Man (NTLM) authentication protocols.
CAPEC-645: Use of Captured Tickets (Pass The Ticket)
An adversary uses stolen Kerberos tickets to access systems/resources that leverage the Kerberos authentication protocol. The Kerberos authentication protocol centers around a ticketing system which is used to request/grant access to services and to then access the requested services. An adversary can obtain any one of these tickets (e.g. Service Ticket, Ticket Granting Ticket, Silver Ticket, or Golden Ticket) to authenticate to a system/resource without needing the account's credentials. Depending on the ticket obtained, the adversary may be able to access a particular resource or generate TGTs for any account within an Active Directory Domain.
CAPEC-652: Use of Known Kerberos Credentials
An adversary obtains (i.e. steals or purchases) legitimate Kerberos credentials (e.g. Kerberos service account userID/password or Kerberos Tickets) with the goal of achieving authenticated access to additional systems, applications, or services within the domain.
CAPEC-701: Browser in the Middle (BiTM)
An adversary exploits the inherent functionalities of a web browser, in order to establish an unnoticed remote desktop connection in the victim's browser to the adversary's system. The adversary must deploy a web client with a remote desktop session that the victim can access.
CAPEC-94: Adversary in the Middle (AiTM)
An adversary targets the communication between two components (typically client and server), in order to alter or obtain data from transactions. A general approach entails the adversary placing themself within the communication channel between the two components.