Common Weakness Enumeration

CWE-289

Allowed

Authentication Bypass by Alternate Name

Abstraction: Base · Status: Incomplete

The product performs authentication based on the name of a resource being accessed, or the name of the actor performing the access, but it does not properly check all possible names for that resource or actor.

60 vulnerabilities reference this CWE, most recent first.

GHSA-9P64-VWXM-HXQM

Vulnerability from github – Published: 2025-03-14 06:30 – Updated: 2025-03-14 06:30
VLAI
Details

The WP JobHunt plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 7.1. This is due to wp_ajax_google_api_login_callback function not properly verifying a user's identity prior to authenticating them. This makes it possible for unauthenticated attackers to access arbitrary candidate accounts.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-11283"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-289"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-03-14T05:15:37Z",
    "severity": "HIGH"
  },
  "details": "The WP JobHunt plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 7.1. This is due to wp_ajax_google_api_login_callback function not properly verifying a user\u0027s identity prior to authenticating them. This makes it possible for unauthenticated attackers to access arbitrary candidate accounts.",
  "id": "GHSA-9p64-vwxm-hxqm",
  "modified": "2025-03-14T06:30:41Z",
  "published": "2025-03-14T06:30:41Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-11283"
    },
    {
      "type": "WEB",
      "url": "https://themeforest.net/item/jobcareer-job-board-responsive-wordpress-theme/14221636"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/cfa487fb-c014-47f1-9537-73881ede30b4?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-9R87-MVCW-X35F

Vulnerability from github – Published: 2026-07-06 20:52 – Updated: 2026-07-06 20:52
VLAI
Summary
Coder vulnerable to OIDC account takeover via email-based user matching and email_verified bypass
Details

Summary

Two flaws in Coder's OIDC login chained into account takeover: email-based user matching fell back to linking by email without checking for an existing link to a different IdP subject and the email_verified claim was only enforced when present as a boolean false so an absent or non-boolean claim was treated as verified.

Impact

An attacker who could authenticate at the configured OIDC provider with an email matching a victim's Coder account could log in as that victim and gain full access to their workspaces, templates and resources. This required OIDC authentication, attacker control of a matching email at the IdP and a victim account not yet linked to a different IdP subject.

Patches

The fix restricts the email fallback to first-time and legacy linking and defaults email_verified to false when the claim is absent or of an unexpected type.

The fix was backported to all supported release lines:

Release line Patched version
2.34 v2.34.2
2.33 v2.33.8
2.32 v2.32.7
2.29 (ESR) v2.29.17

Workarounds

Configure the OIDC provider to disallow self-registration or to require email verification before issuing tokens.

Resources

  • Fix: #25712, #25713

Credits

Coder would like to thank Anthropic's Security Team (ANT-2026-22450) for independently disclosing this issue!

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/coder/coder/v2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.34.0"
            },
            {
              "fixed": "2.34.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/coder/coder/v2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.33.0"
            },
            {
              "fixed": "2.33.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/coder/coder/v2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.30.0"
            },
            {
              "fixed": "2.32.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/coder/coder/v2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.29.17"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-55075"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287",
      "CWE-289"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-07-06T20:52:13Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "### Summary\n\nTwo flaws in Coder\u0027s OIDC login chained into account takeover: email-based user matching fell back to linking by email without checking for an existing link to a different IdP subject and the `email_verified` claim was only enforced when present as a boolean `false` so an absent or non-boolean claim was treated as verified.\n\n### Impact\n\nAn attacker who could authenticate at the configured OIDC provider with an email matching a victim\u0027s Coder account could log in as that victim and gain full access to their workspaces, templates and resources. This required OIDC authentication, attacker control of a matching email at the IdP and a victim account not yet linked to a different IdP subject.\n\n### Patches\n\nThe fix restricts the email fallback to first-time and legacy linking and defaults `email_verified` to false when the claim is absent or of an unexpected type.\n\nThe fix was backported to all supported release lines:\n\n| Release line | Patched version |\n|---|---|\n| 2.34 | [v2.34.2](https://github.com/coder/coder/releases/tag/v2.34.2) |\n| 2.33 | [v2.33.8](https://github.com/coder/coder/releases/tag/v2.33.8) |\n| 2.32 | [v2.32.7](https://github.com/coder/coder/releases/tag/v2.32.7) |\n| 2.29 (ESR) | [v2.29.17](https://github.com/coder/coder/releases/tag/v2.29.17) |\n\n### Workarounds\n\nConfigure the OIDC provider to disallow self-registration or to require email verification before issuing tokens.\n\n### Resources\n\n- Fix: #25712, #25713\n\n### Credits\n\nCoder would like to thank Anthropic\u0027s Security Team (ANT-2026-22450) for independently disclosing this issue!",
  "id": "GHSA-9r87-mvcw-x35f",
  "modified": "2026-07-06T20:52:13Z",
  "published": "2026-07-06T20:52:13Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/coder/coder/security/advisories/GHSA-9r87-mvcw-x35f"
    },
    {
      "type": "WEB",
      "url": "https://github.com/coder/coder/pull/25712"
    },
    {
      "type": "WEB",
      "url": "https://github.com/coder/coder/pull/25713"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/coder/coder"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Coder vulnerable to OIDC account takeover via email-based user matching and email_verified bypass"
}

GHSA-9RQ6-59M3-GMGX

Vulnerability from github – Published: 2024-06-13 06:30 – Updated: 2024-06-13 06:30
VLAI
Details

The Download Manager plugin for WordPress is vulnerable to unauthorized access of data due to an improper authorization check on the 'protectMediaLibrary' function in all versions up to, and including, 3.2.89. This makes it possible for unauthenticated attackers to download password-protected files.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-2098"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-289",
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-06-13T06:15:09Z",
    "severity": "HIGH"
  },
  "details": "The Download Manager plugin for WordPress is vulnerable to unauthorized access of data due to an improper authorization check on the \u0027protectMediaLibrary\u0027 function in all versions up to, and including, 3.2.89. This makes it possible for unauthenticated attackers to download password-protected files.",
  "id": "GHSA-9rq6-59m3-gmgx",
  "modified": "2024-06-13T06:30:53Z",
  "published": "2024-06-13T06:30:53Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-2098"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/changeset/3072712/download-manager"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1301c8af-d81a-40f1-96fa-e8252309d8a4?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-C244-P6M5-VQJ6

Vulnerability from github – Published: 2026-02-09 12:30 – Updated: 2026-02-11 19:48
VLAI
Summary
Apache Shiro has an Authentication Bypass
Details

Impact

Authentication Bypass: A vulnerability exists in Apache Shiro that allows authentication bypass for static files when served from a case-insensitive filesystem (such as the default configuration on macOS or Windows).

The issue arises when Shiro's URL filters are configured with lower-case rules (a common default), but the underlying operating system treats mixed-case filenames as identical. An attacker can access protected static resources by varying the capitalization of the filename in the request (e.g., requesting /SECRET.TXT to bypass a rule for /secret.txt).

This issue specifically affects static file handling and does not impact dynamic resource paths that are case-sensitive.

Patches

Users should upgrade to Apache Shiro 2.1.0 or later.

Important Configuration Note: Version 2.1.0 introduces a new configuration parameter to handle case-insensitivity, which must be enabled manually to resolve the issue:

  • shiro.ini: ini filterChainResolver.caseInsensitive = true
  • Spring Boot (application.properties): properties shiro.caseInsensitive=true

Note: Apache Shiro 3.0.0 (upcoming) will enable this setting by default.

Workarounds

  • Ensure that the filesystem hosting the application is case-sensitive (e.g., Linux/Unix).
  • Manually configure all Shiro filter chains to handle all possible case variations of protected filenames (not recommended due to complexity).

Resources

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.0.6"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.shiro:shiro-spring"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.1.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-23903"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-289"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-02-11T19:48:43Z",
    "nvd_published_at": "2026-02-09T10:15:57Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\n\n**Authentication Bypass:**\nA vulnerability exists in Apache Shiro that allows authentication bypass for static files when served from a case-insensitive filesystem (such as the default configuration on macOS or Windows).\n\nThe issue arises when Shiro\u0027s URL filters are configured with lower-case rules (a common default), but the underlying operating system treats mixed-case filenames as identical. An attacker can access protected static resources by varying the capitalization of the filename in the request (e.g., requesting `/SECRET.TXT` to bypass a rule for `/secret.txt`).\n\nThis issue specifically affects static file handling and does not impact dynamic resource paths that are case-sensitive.\n\n### Patches\nUsers should upgrade to Apache Shiro **2.1.0** or later.\n\n**Important Configuration Note:**\nVersion 2.1.0 introduces a new configuration parameter to handle case-insensitivity, which must be enabled manually to resolve the issue:\n\n* **shiro.ini:**\n    ```ini\n    filterChainResolver.caseInsensitive = true\n    ```\n* **Spring Boot (application.properties):**\n    ```properties\n    shiro.caseInsensitive=true\n    ```\n\n*Note: Apache Shiro 3.0.0 (upcoming) will enable this setting by default.*\n\n### Workarounds\n* Ensure that the filesystem hosting the application is case-sensitive (e.g., Linux/Unix).\n* Manually configure all Shiro filter chains to handle all possible case variations of protected filenames (not recommended due to complexity).\n\n### Resources\n* [CVE-2026-23903](https://nvd.nist.gov/vuln/detail/CVE-2026-23903)\n* [Mailing List Announcement](https://lists.apache.org/thread/5jjf0hnjcol58z2m5y255c7scz1lnp8k)\n* [OSS-Security List](http://www.openwall.com/lists/oss-security/2026/02/08/1)",
  "id": "GHSA-c244-p6m5-vqj6",
  "modified": "2026-02-11T19:48:43Z",
  "published": "2026-02-09T12:30:22Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23903"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apache/shiro/commit/3b9638b957495004599aeaf24ba8949e309f26e8"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/apache/shiro"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread/5jjf0hnjcol58z2m5y255c7scz1lnp8k"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2026/02/08/1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Apache Shiro has an Authentication Bypass"
}

GHSA-CG23-QF8F-62RR

Vulnerability from github – Published: 2024-11-13 18:29 – Updated: 2024-11-14 23:55
VLAI
Summary
Symfony has an Authentication Bypass via RememberMe
Details

Description

When consuming a persisted remember-me cookie, Symfony does not check if the username persisted in the database matches the username attached with the cookie, leading to authentication bypass.

Resolution

The PersistentRememberMeHandler class now ensures the submitted username is the cookie owner.

The patch for this issue is available here for branch 5.4.

Credits

We would like to thank Moritz Rauch - Pentryx AG for reporting the issue and Jérémy Derussé for providing the fix.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "symfony/security-http"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "5.3.0"
            },
            {
              "fixed": "5.4.47"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "symfony/security-http"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "6.0.0-BETA1"
            },
            {
              "fixed": "6.4.15"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "symfony/security-http"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "7.0.0-BETA1"
            },
            {
              "fixed": "7.1.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-51996"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287",
      "CWE-289"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-11-13T18:29:04Z",
    "nvd_published_at": "2024-11-13T17:15:11Z",
    "severity": "HIGH"
  },
  "details": "### Description\n\nWhen consuming a persisted remember-me cookie, Symfony does not check if the username persisted in the database matches the username attached with the cookie, leading to authentication bypass.\n\n### Resolution\n\nThe `PersistentRememberMeHandler` class now ensures the submitted username is the cookie owner.\n\nThe patch for this issue is available [here](https://github.com/symfony/symfony/commit/81354d392c5f0b7a52bcbd729d6f82501e94135a) for branch 5.4.\n\n### Credits\n\nWe would like to thank Moritz Rauch - Pentryx AG for reporting the issue and J\u00e9r\u00e9my Deruss\u00e9 for providing the fix.",
  "id": "GHSA-cg23-qf8f-62rr",
  "modified": "2024-11-14T23:55:43Z",
  "published": "2024-11-13T18:29:04Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/symfony/symfony/security/advisories/GHSA-cg23-qf8f-62rr"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-51996"
    },
    {
      "type": "WEB",
      "url": "https://github.com/symfony/symfony/commit/81354d392c5f0b7a52bcbd729d6f82501e94135a"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/security-http/CVE-2024-51996.yaml"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2024-51996.yaml"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/symfony/symfony"
    },
    {
      "type": "WEB",
      "url": "https://symfony.com/cve-2024-51996"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Symfony has an Authentication Bypass via RememberMe"
}

GHSA-CV5F-6R7G-8Q4W

Vulnerability from github – Published: 2025-03-31 15:30 – Updated: 2025-03-31 15:30
VLAI
Details

Unraid 7.0.0 before 7.0.1 allows remote users to access the Unraid WebGUI and web console as root without authentication if a container is running in Host networking mode with Use Tailscale enabled.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-29266"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-289"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-03-31T13:15:43Z",
    "severity": "CRITICAL"
  },
  "details": "Unraid 7.0.0 before 7.0.1 allows remote users to access the Unraid WebGUI and web console as root without authentication if a container is running in Host networking mode with Use Tailscale enabled.",
  "id": "GHSA-cv5f-6r7g-8q4w",
  "modified": "2025-03-31T15:30:44Z",
  "published": "2025-03-31T15:30:44Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-29266"
    },
    {
      "type": "WEB",
      "url": "https://docs.unraid.net/unraid-os/release-notes/7.0.1"
    },
    {
      "type": "WEB",
      "url": "https://edac.dev/security/CVE-2025-29266"
    },
    {
      "type": "WEB",
      "url": "https://github.com/unraid/webgui"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-FV2H-753J-9G39

Vulnerability from github – Published: 2023-09-20 23:01 – Updated: 2024-10-11 15:37
VLAI
Summary
Sustainsys.Saml2 Insufficient Identity Provider Issuer Validation
Details

Impact

When a response is processed, the issuer of the Identity Provider is not sufficiently validated. This could allow a malicious identity provider to craft a Saml2 response that is processed as if issued by another identity provider. It is also possible for a malicious end user to cause stored state intended for one identity provider to be used when processing the response from another provider.

An application is impacted if they rely on any of these features in their authentication/authorization logic: * the issuer of the generated identity and claims * items in the stored request state (AuthenticationProperties)

Patches

Patched in version 2.9.2 and 1.0.3. All previous versions are vulnerable.

Workarounds

The AcsCommandResultCreated notification can be used to add the validation required if an upgrade to patched packages is not possible.

References

The patch is linked to https://github.com/Sustainsys/Saml2/issues/712 and https://github.com/Sustainsys/Saml2/issues/713

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Sustainsys.Saml2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.0.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Sustainsys.Saml2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.0.0"
            },
            {
              "fixed": "2.9.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Kentor.AuthServices"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "0.23.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-41890"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-289",
      "CWE-294"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-09-20T23:01:52Z",
    "nvd_published_at": "2023-09-19T15:15:52Z",
    "severity": "HIGH"
  },
  "details": "### Impact\nWhen a response is processed, the issuer of the Identity Provider is not sufficiently validated. This could allow a malicious identity provider to craft a Saml2 response that is processed as if issued by another identity provider. It is also possible for a malicious end user to cause stored state intended for one identity provider to be used when processing the response from another provider.\n\nAn application is impacted if they rely on any of these features in their authentication/authorization logic:\n* the issuer of the generated identity and claims\n* items in the stored request state (AuthenticationProperties)\n\n### Patches\nPatched in version 2.9.2 and 1.0.3. All previous versions are vulnerable.\n\n### Workarounds\nThe `AcsCommandResultCreated` notification can be used to add the validation required if an upgrade to patched packages is not possible.\n\n### References\nThe patch is linked to https://github.com/Sustainsys/Saml2/issues/712 and https://github.com/Sustainsys/Saml2/issues/713\n",
  "id": "GHSA-fv2h-753j-9g39",
  "modified": "2024-10-11T15:37:58Z",
  "published": "2023-09-20T23:01:52Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/Sustainsys/Saml2/security/advisories/GHSA-fv2h-753j-9g39"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-41890"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Sustainsys/Saml2/issues/712"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Sustainsys/Saml2/issues/713"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/Sustainsys/Saml2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Sustainsys.Saml2 Insufficient Identity Provider Issuer Validation"
}

GHSA-G57M-HR98-5M89

Vulnerability from github – Published: 2026-06-26 03:31 – Updated: 2026-07-15 03:32
VLAI
Details

A flaw in Node.js TLS hostname handling can cause Node.js unicode dot separator handling can lead to tls wildcard-depth authentication bypass due to resolver and verifier hostname normalization mismat.

This can lead to confidentiality impact or bypass of the intended security boundary under affected configurations.

This vulnerability affects all supported release lines: Node.js 22, Node.js 24, and Node.js 26.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-48618"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-176",
      "CWE-289"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-26T02:16:52Z",
    "severity": "HIGH"
  },
  "details": "A flaw in Node.js TLS hostname handling can cause Node.js unicode dot separator handling can lead to tls wildcard-depth authentication bypass due to resolver and verifier hostname normalization mismat.\n\nThis can lead to confidentiality impact or bypass of the intended security boundary under affected configurations.\n\nThis vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**.",
  "id": "GHSA-g57m-hr98-5m89",
  "modified": "2026-07-15T03:32:51Z",
  "published": "2026-06-26T03:31:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-48618"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:28727"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:29012"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:30172"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:35841"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:35842"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:35891"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:35892"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:39246"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:7378"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:9455"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2026-48618"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2493337"
    },
    {
      "type": "WEB",
      "url": "https://nodejs.org/en/blog/vulnerability/june-2026-security-releases"
    },
    {
      "type": "WEB",
      "url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-48618.json"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-G7CR-9H7Q-4QXQ

Vulnerability from github – Published: 2026-03-12 14:21 – Updated: 2026-04-06 22:45
VLAI
Summary
OpenClaw's MS Teams sender allowlist bypass when route allowlist is configured and sender allowlist is empty
Details

OpenClaw's Microsoft Teams plugin widened group sender authorization when a team/channel route allowlist was configured but groupAllowFrom was empty. Before the fix, a matching route allowlist entry could cause the message handler to synthesize wildcard sender authorization for that route, allowing any sender in the matched team/channel to bypass the intended groupPolicy: "allowlist" sender check.

This does not affect default unauthenticated access, but it does weaken a documented Teams group authorization boundary and can allow unauthorized group senders to trigger replies in allowlisted Teams routes.

Affected Packages / Versions

  • Package: openclaw (npm)
  • Latest published vulnerable version: 2026.3.7
  • Affected range: <= 2026.3.7
  • Fixed in released version: 2026.3.8

Fix Commit(s)

  • 88aee9161e0e6d32e810a25711e32a808a1777b2

Release Verification

  • Verified fixed in GitHub release v2026.3.8 published on March 9, 2026.
  • Verified npm view openclaw version resolves to 2026.3.8.
  • Verified the release contains the regression test covering the Teams route-allowlist sender-bypass case and that the test passes against the v2026.3.8 tree.

Thanks @zpbrent for reporting.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2026.3.7"
      },
      "package": {
        "ecosystem": "npm",
        "name": "openclaw"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2026.3.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-34506"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-289"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-12T14:21:35Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "OpenClaw\u0027s Microsoft Teams plugin widened group sender authorization when a team/channel route allowlist was configured but `groupAllowFrom` was empty. Before the fix, a matching route allowlist entry could cause the message handler to synthesize wildcard sender authorization for that route, allowing any sender in the matched team/channel to bypass the intended `groupPolicy: \"allowlist\"` sender check.\n\nThis does not affect default unauthenticated access, but it does weaken a documented Teams group authorization boundary and can allow unauthorized group senders to trigger replies in allowlisted Teams routes.\n\n## Affected Packages / Versions\n\n- Package: `openclaw` (npm)\n- Latest published vulnerable version: `2026.3.7`\n- Affected range: `\u003c= 2026.3.7`\n- Fixed in released version: `2026.3.8`\n\n## Fix Commit(s)\n\n- `88aee9161e0e6d32e810a25711e32a808a1777b2`\n\n## Release Verification\n\n- Verified fixed in GitHub release `v2026.3.8` published on March 9, 2026.\n- Verified `npm view openclaw version` resolves to `2026.3.8`.\n- Verified the release contains the regression test covering the Teams route-allowlist sender-bypass case and that the test passes against the `v2026.3.8` tree.\n\nThanks @zpbrent for reporting.",
  "id": "GHSA-g7cr-9h7q-4qxq",
  "modified": "2026-04-06T22:45:49Z",
  "published": "2026-03-12T14:21:35Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-g7cr-9h7q-4qxq"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34506"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/commit/88aee9161e0e6d32e810a25711e32a808a1777b2"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/openclaw/openclaw"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/openclaw-sender-allowlist-bypass-in-microsoft-teams-plugin-via-route-allowlist-configuration"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "OpenClaw\u0027s MS Teams sender allowlist bypass when route allowlist is configured and sender allowlist is empty"
}

GHSA-H2P8-37QR-QFR9

Vulnerability from github – Published: 2025-08-20 18:30 – Updated: 2025-12-24 00:30
VLAI
Details

A vulnerability was found in the Cryostat HTTP API. Cryostat's HTTP API binds to all network interfaces, allowing possible external visibility and access to the API port if Network Policies are disabled, allowing an unauthenticated, malicious attacker to jeopardize the environment.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-8415"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-289"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-08-20T17:15:37Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability was found in the Cryostat HTTP API. Cryostat\u0027s HTTP API binds to all network interfaces, allowing possible external visibility and access to the API port if Network Policies are disabled, allowing an unauthenticated, malicious attacker to jeopardize the environment.",
  "id": "GHSA-h2p8-37qr-qfr9",
  "modified": "2025-12-24T00:30:12Z",
  "published": "2025-08-20T18:30:22Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-8415"
    },
    {
      "type": "WEB",
      "url": "https://github.com/cryostatio/cryostat/pull/1001"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2025:14919"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2025-8415"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2385773"
    },
    {
      "type": "WEB",
      "url": "https://github.com/cryostatio/cryostat/releases/tag/v4.0.2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation MIT-44
Architecture and Design

Strategy: Input Validation

Avoid making decisions based on names of resources (e.g. files) if those resources can have alternate names.

Mitigation MIT-5
Implementation

Strategy: Input Validation

  • Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
  • When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
  • Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
Mitigation MIT-20
Implementation

Strategy: Input Validation

Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.

No CAPEC attack patterns related to this CWE.