Common Weakness Enumeration

CWE-639

Allowed

Authorization Bypass Through User-Controlled Key

Abstraction: Base · Status: Incomplete

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

3235 vulnerabilities reference this CWE, most recent first.

GHSA-7G8V-P8GP-3MFF

Vulnerability from github – Published: 2024-04-02 00:30 – Updated: 2024-04-02 00:30
VLAI
Details

A vulnerability, which was classified as critical, has been found in SourceCodester Computer Laboratory Management System 1.0. Affected by this issue is the function save_users of the file /classes/Users.php?f=save. The manipulation of the argument id leads to improper authorization. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-258914 is the identifier assigned to this vulnerability.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-3139"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-285",
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-04-01T23:15:08Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability, which was classified as critical, has been found in SourceCodester Computer Laboratory Management System 1.0. Affected by this issue is the function save_users of the file /classes/Users.php?f=save. The manipulation of the argument id leads to improper authorization. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-258914 is the identifier assigned to this vulnerability.",
  "id": "GHSA-7g8v-p8gp-3mff",
  "modified": "2024-04-02T00:30:47Z",
  "published": "2024-04-02T00:30:47Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-3139"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Sospiro014/zday1/blob/main/Laboratory_Management_System.md"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.258914"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.258914"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?submit.308207"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-7GRX-3XCX-2XV5

Vulnerability from github – Published: 2026-03-20 20:47 – Updated: 2026-06-06 00:56
VLAI
Summary
langflow has Unauthenticated IDOR on Image Downloads
Details

Summary

The /api/v1/files/images/{flow_id}/{file_name} endpoint serves image files without any authentication or ownership check. Any unauthenticated request with a known flow_id and file_name returns the image with HTTP 200.

Details

src/backend/base/langflow/api/v1/files.py:138-164download_image takes flow_id: UUID as a bare path parameter with no Depends(get_flow) or CurrentActiveUser. All other file routes (download_file, upload_file, list_files, delete_file) use Depends(get_flow) which enforces both authentication and ownership. There is no global auth middleware on /api/v1; protection is per-endpoint only.

PoC

curl -v "http://localhost:7860/api/v1/files/images/<flow_uuid>/<filename.png>"
# Returns HTTP 200 with image bytes, no auth header required

Impact

Unauthenticated cross-tenant data leak. In a multi-tenant deployment, any attacker who can discover or guess a flow_id (UUIDs can be leaked through other API responses) can download any user's uploaded images without credentials.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "langflow"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.0.0"
            },
            {
              "fixed": "1.9.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-33484"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-284",
      "CWE-639",
      "CWE-862"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-20T20:47:10Z",
    "nvd_published_at": "2026-03-24T14:16:30Z",
    "severity": "HIGH"
  },
  "details": "### Summary\nThe `/api/v1/files/images/{flow_id}/{file_name}` endpoint serves image files without any authentication or ownership check. Any unauthenticated request with a known flow_id and file_name returns the image with HTTP 200.\n\n### Details\n`src/backend/base/langflow/api/v1/files.py:138-164` \u2014 `download_image` takes `flow_id`: UUID as a bare path parameter with no Depends(get_flow) or `CurrentActiveUser`. All other file routes (`download_file`, `upload_file`, `list_files`, `delete_file`) use `Depends(get_flow)` which enforces both authentication and ownership. There is no global auth middleware on /api/v1; protection is per-endpoint only.\n\n### PoC\n```\ncurl -v \"http://localhost:7860/api/v1/files/images/\u003cflow_uuid\u003e/\u003cfilename.png\u003e\"\n# Returns HTTP 200 with image bytes, no auth header required\n```\n\n### Impact\nUnauthenticated cross-tenant data leak. In a multi-tenant deployment, any attacker who can discover or guess a `flow_id` (UUIDs can be leaked through other API responses) can download any user\u0027s uploaded images without credentials.",
  "id": "GHSA-7grx-3xcx-2xv5",
  "modified": "2026-06-06T00:56:13Z",
  "published": "2026-03-20T20:47:10Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/langflow-ai/langflow/security/advisories/GHSA-7grx-3xcx-2xv5"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33484"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/langflow-ai/langflow"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/langflow/PYSEC-2026-80.yaml"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "langflow has Unauthenticated IDOR on Image Downloads"
}

GHSA-7H53-73G8-FJVR

Vulnerability from github – Published: 2026-03-31 12:31 – Updated: 2026-04-13 15:31
VLAI
Details

Insecure Direct Object Reference (IDOR) vulnerability in 1millionbot Millie chat that allows private conversations of other users being viewed by simply changing the conversation ID. The vulnerability is present in the endpoint 'api.1millionbot.com/api/public/conversations/' and, if exploited, could allow a remote attacker to access other users private chatbot conversations, revealing sensitive or confidential data without requiring credentials or impersonating users. In order for the vulnerability to be exploited, the attacker must have the user's conversation ID.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-4400"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-03-31T11:16:14Z",
    "severity": "HIGH"
  },
  "details": "Insecure Direct Object Reference (IDOR) vulnerability in 1millionbot Millie chat that allows private conversations of other users being viewed by simply changing the conversation ID. The vulnerability is present in the endpoint \u0027api.1millionbot.com/api/public/conversations/\u0027 and, if exploited, could allow a remote attacker to access other users private chatbot conversations, revealing sensitive or confidential data without requiring credentials or impersonating users. In order for the vulnerability to be exploited, the attacker must have the user\u0027s conversation ID.",
  "id": "GHSA-7h53-73g8-fjvr",
  "modified": "2026-04-13T15:31:07Z",
  "published": "2026-03-31T12:31:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-4400"
    },
    {
      "type": "WEB",
      "url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-1millionbot-millie-chatbot"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-7HCJ-3P5P-49GH

Vulnerability from github – Published: 2025-09-03 15:30 – Updated: 2026-04-01 18:36
VLAI
Details

Authorization Bypass Through User-Controlled Key vulnerability in Tomdever wpForo Forum allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects wpForo Forum: from n/a through 2.4.6.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-58597"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-09-03T15:15:40Z",
    "severity": "MODERATE"
  },
  "details": "Authorization Bypass Through User-Controlled Key vulnerability in Tomdever wpForo Forum allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects wpForo Forum: from n/a through 2.4.6.",
  "id": "GHSA-7hcj-3p5p-49gh",
  "modified": "2026-04-01T18:36:02Z",
  "published": "2025-09-03T15:30:34Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-58597"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/wordpress/plugin/wpforo/vulnerability/wordpress-wpforo-forum-plugin-2-4-6-insecure-direct-object-references-idor-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-7HR6-J3QM-7P23

Vulnerability from github – Published: 2022-05-24 19:17 – Updated: 2024-05-14 21:34
VLAI
Details

In Yellowfin before 9.6.1 there is a Stored Cross-Site Scripting vulnerability in the video embed functionality exploitable through a specially crafted HTTP POST request to the page "ActivityStreamAjax.i4".

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-36387"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639",
      "CWE-79"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-10-14T19:15:00Z",
    "severity": "MODERATE"
  },
  "details": "In Yellowfin before 9.6.1 there is a Stored Cross-Site Scripting vulnerability in the video embed functionality exploitable through a specially crafted HTTP POST request to the page \"ActivityStreamAjax.i4\".",
  "id": "GHSA-7hr6-j3qm-7p23",
  "modified": "2024-05-14T21:34:39Z",
  "published": "2022-05-24T19:17:34Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-36387"
    },
    {
      "type": "WEB",
      "url": "https://cyberaz0r.info/2021/10/yellowfin-multiple-vulnerabilities"
    },
    {
      "type": "WEB",
      "url": "https://github.com/cyberaz0r/Yellowfin-Multiple-Vulnerabilities/blob/main/README.md"
    },
    {
      "type": "WEB",
      "url": "https://packetstormsecurity.com/files/164515/Yellowfin-Cross-Site-Scripting-Insecure-Direct-Object-Reference.html"
    },
    {
      "type": "WEB",
      "url": "https://wiki.yellowfinbi.com/display/yfcurrent/Release+Notes+for+Yellowfin+9#ReleaseNotesforYellowfin9-Yellowfin9.6"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/164515/Yellowfin-Cross-Site-Scripting-Insecure-Direct-Object-Reference.html"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2021/Oct/15"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-7HV6-GV38-78WJ

Vulnerability from github – Published: 2023-06-02 17:09 – Updated: 2023-06-02 17:09
VLAI
Summary
DataEase API interface has IDOR vulnerability
Details

Impact

The api interface for DataEase delete dashboard and delete system messages is vulnerable to IDOR.

The interface to delete the dashboard: 1. Create two users: user1 and user2 2. User1 creates a dashboard named pan1 3. User2 creates a dashboard named pan2 4. Both user1 and user2 share their dashboards with the demo user 5. User1 wants to delete his dashboard. We hijack the request with burpsuite. The request will probably look like this: POST /api/share/removePanelShares/440efa7f-efd8-11ed-bec7-1144724bc08c HTTP/1.1. 440efa7f-efd8-11ed-bec7-1144724bc08c is the ID of pan1 6. We replace this ID with the ID of pan2 and continue the execution (i.e. we delete the shares of others) 7. Successfully remove the shared link image

The interface to delete system messages: 1. Our request to delete a message is shown below image 2. We can delete all messages by simply enumerating the message ID, regardless of whether the message belongs to the requester or not. 3. The interface for marking read messages is also affected

Affected versions: <= 1.18.6

Patches

The vulnerability has been fixed in v1.18.7.

Workarounds

It is recommended to upgrade the version to v1.18.7.

References

If you have any questions or comments about this advisory:

Open an issue in https://github.com/dataease/dataease Email us at wei@fit2cloud.com

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.18.6"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "io.dataease:dataease-plugin-common"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.18.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-32310"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-06-02T17:09:17Z",
    "nvd_published_at": "2023-06-01T16:15:09Z",
    "severity": "HIGH"
  },
  "details": "### Impact\nThe api interface for DataEase delete dashboard and delete system messages is vulnerable to IDOR.\n\nThe interface to delete the dashboard:\n1. Create two users: user1 and user2\n2. User1 creates a dashboard named pan1\n3. User2 creates a dashboard named pan2\n4. Both user1 and user2 share their dashboards with the demo user\n5. User1 wants to delete his dashboard. We hijack the request with burpsuite. The request will probably look like this: POST /api/share/removePanelShares/440efa7f-efd8-11ed-bec7-1144724bc08c HTTP/1.1. 440efa7f-efd8-11ed-bec7-1144724bc08c is the ID of pan1\n6. We replace this ID with the ID of pan2 and continue the execution (i.e. we delete the shares of others)\n7. Successfully remove the shared link\n![image](https://user-images.githubusercontent.com/985347/238271028-d23a9ca3-cd77-42a2-9199-a28ef03f5bf0.png)\n\nThe interface to delete system messages:\n1. Our request to delete a message is shown below\n![image](https://user-images.githubusercontent.com/985347/238271474-1bf6be85-7a39-436d-b209-ac88bf52b591.png)\n2. We can delete all messages by simply enumerating the message ID, regardless of whether the message belongs to the requester or not.\n3. The interface for marking read messages is also affected\n\nAffected versions: \u003c= 1.18.6\n\n### Patches\nThe vulnerability has been fixed in v1.18.7.\n\n### Workarounds\nIt is recommended to upgrade the version to v1.18.7.\n\n### References\nIf you have any questions or comments about this advisory:\n\nOpen an issue in https://github.com/dataease/dataease\nEmail us at [wei@fit2cloud.com](mailto:wei@fit2cloud.com)\n",
  "id": "GHSA-7hv6-gv38-78wj",
  "modified": "2023-06-02T17:09:17Z",
  "published": "2023-06-02T17:09:17Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/dataease/dataease/security/advisories/GHSA-7hv6-gv38-78wj"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-32310"
    },
    {
      "type": "WEB",
      "url": "https://github.com/dataease/dataease/pull/5342"
    },
    {
      "type": "WEB",
      "url": "https://github.com/dataease/dataease/commit/72f428e87b5395c03d2f94ef6185fc247ddbc8dc"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/dataease/dataease"
    },
    {
      "type": "WEB",
      "url": "https://github.com/dataease/dataease/releases/tag/v1.18.7"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "DataEase API interface has IDOR vulnerability"
}

GHSA-7J9F-FW49-X4P8

Vulnerability from github – Published: 2023-01-03 00:30 – Updated: 2023-01-09 21:30
VLAI
Details

The BookingPress WordPress plugin before 1.0.31 suffers from an Insecure Direct Object Reference (IDOR) vulnerability in it's thank you page, allowing any visitor to display information about any booking, including full name, date, time and service booked, by manipulating the appointment_id query parameter.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-4340"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-01-02T22:15:00Z",
    "severity": "MODERATE"
  },
  "details": "The BookingPress WordPress plugin before 1.0.31 suffers from an Insecure Direct Object Reference (IDOR) vulnerability in it\u0027s thank you page, allowing any visitor to display information about any booking, including full name, date, time and service booked, by manipulating the appointment_id query parameter.",
  "id": "GHSA-7j9f-fw49-x4p8",
  "modified": "2023-01-09T21:30:21Z",
  "published": "2023-01-03T00:30:44Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-4340"
    },
    {
      "type": "WEB",
      "url": "https://wpscan.com/vulnerability/8a7bd9f6-2789-474b-a237-01c643fdfba7"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-7JCV-RMG2-JM39

Vulnerability from github – Published: 2025-04-15 21:31 – Updated: 2025-04-15 21:31
VLAI
Details

An unauthenticated attacker can infer the existence of usernames in the system by querying an API.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-24487"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-04-15T21:15:54Z",
    "severity": "MODERATE"
  },
  "details": "An unauthenticated attacker can infer the existence of usernames in the system by querying an API.",
  "id": "GHSA-7jcv-rmg2-jm39",
  "modified": "2025-04-15T21:31:45Z",
  "published": "2025-04-15T21:31:45Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-24487"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-105-04"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-7JWW-FM5P-PJ92

Vulnerability from github – Published: 2022-11-17 03:30 – Updated: 2022-11-21 18:30
VLAI
Details

An issue was discovered in BACKCLICK Professional 5.9.63. Due to the use of consecutive IDs in verification links, the newsletter sign-up functionality is vulnerable to the enumeration of subscribers' e-mail addresses. Furthermore, it is possible to subscribe and verify other persons' e-mail addresses to newsletters without their consent.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-44005"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-11-16T23:15:00Z",
    "severity": "MODERATE"
  },
  "details": "An issue was discovered in BACKCLICK Professional 5.9.63. Due to the use of consecutive IDs in verification links, the newsletter sign-up functionality is vulnerable to the enumeration of subscribers\u0027 e-mail addresses. Furthermore, it is possible to subscribe and verify other persons\u0027 e-mail addresses to newsletters without their consent.",
  "id": "GHSA-7jww-fm5p-pj92",
  "modified": "2022-11-21T18:30:37Z",
  "published": "2022-11-17T03:30:50Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-44005"
    },
    {
      "type": "WEB",
      "url": "https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2022-026.txt"
    },
    {
      "type": "WEB",
      "url": "https://www.syss.de/pentest-blog/vielfaeltige-schwachstellen-in-backclick-professional-syss-2022-026-bis-037"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-7JX5-9FJG-HP4M

Vulnerability from github – Published: 2026-02-27 22:08 – Updated: 2026-03-30 13:44
VLAI
Summary
OpenClaw ACP client has permission auto-approval bypass via untrusted tool metadata
Details

Vulnerability Summary

The OpenClaw ACP client could auto-approve tool calls based on untrusted metadata and permissive name heuristics. A malicious or compromised ACP tool invocation could bypass expected interactive approval prompts for read-class operations.

Affected Packages / Versions

  • Package: npm openclaw
  • Affected published versions: <= 2026.2.22-2 (latest published as of February 24, 2026 is 2026.2.22-2)
  • Patched in code on main: 2026.2.23 (released)

Technical Details

  • Permission classification trusted incoming toolCall.kind and heuristic name matching.
  • Non-core read-like names and spoofed kind metadata could reach auto-approve paths.
  • read operations were not scoped strongly enough to cwd in all metadata/title forms.

Fix

  • Require trusted core tool IDs for auto-approval and ignore untrusted toolCall.kind as an authorization source.
  • Scope read auto-approval to cwd-resolved paths.
  • Add stricter tool-name validation and regression coverage for spoofed kind and non-core read-like names.

Affected Functions

  • resolvePermissionRequest
  • resolveToolNameForPermission
  • shouldAutoApproveToolCall

Fix Commit(s)

  • 12cc754332f9a7c92e158ce7644aa22df79c0904
  • 63dcd28ae0be2de1c75af09cc81841cebeec068f

Found using MCPwner

Thanks @nedlir for reporting.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2026.2.22-2"
      },
      "package": {
        "ecosystem": "npm",
        "name": "openclaw"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2026.2.23"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-32898"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639",
      "CWE-863"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-02-27T22:08:36Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "## Vulnerability Summary\n\nThe OpenClaw ACP client could auto-approve tool calls based on untrusted metadata and permissive name heuristics. A malicious or compromised ACP tool invocation could bypass expected interactive approval prompts for read-class operations.\n\n## Affected Packages / Versions\n\n- Package: npm `openclaw`\n- Affected published versions: `\u003c= 2026.2.22-2` (latest published as of February 24, 2026 is `2026.2.22-2`)\n- Patched in code on `main`: `2026.2.23` (released)\n\n## Technical Details\n\n- Permission classification trusted incoming `toolCall.kind` and heuristic name matching.\n- Non-core read-like names and spoofed kind metadata could reach auto-approve paths.\n- `read` operations were not scoped strongly enough to cwd in all metadata/title forms.\n\n## Fix\n\n- Require trusted core tool IDs for auto-approval and ignore untrusted `toolCall.kind` as an authorization source.\n- Scope `read` auto-approval to cwd-resolved paths.\n- Add stricter tool-name validation and regression coverage for spoofed kind and non-core read-like names.\n\n## Affected Functions\n\n- `resolvePermissionRequest`\n- `resolveToolNameForPermission`\n- `shouldAutoApproveToolCall`\n\n## Fix Commit(s)\n\n- `12cc754332f9a7c92e158ce7644aa22df79c0904`\n- `63dcd28ae0be2de1c75af09cc81841cebeec068f`\n\nFound using [MCPwner](https://github.com/Pigyon/MCPwner)\n\n\nThanks @nedlir for reporting.",
  "id": "GHSA-7jx5-9fjg-hp4m",
  "modified": "2026-03-30T13:44:47Z",
  "published": "2026-02-27T22:08:36Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-7jx5-9fjg-hp4m"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32898"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/commit/12cc754332f9a7c92e158ce7644aa22df79c0904"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/commit/63dcd28ae0be2de1c75af09cc81841cebeec068f"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/openclaw/openclaw"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/releases/tag/v2026.2.23"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/openclaw-acp-permission-auto-approval-bypass-via-untrusted-tool-metadata"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "OpenClaw ACP client has permission auto-approval bypass via untrusted tool metadata"
}

Mitigation
Architecture and Design

For each and every data access, ensure that the user has sufficient privilege to access the record that is being requested.

Mitigation
Architecture and Design Implementation

Make sure that the key that is used in the lookup of a specific user's record is not controllable externally by the user or that any tampering can be detected.

Mitigation
Architecture and Design

Use encryption in order to make it more difficult to guess other legitimate values of the key or associate a digital signature with the key so that the server can verify that there has been no tampering.

No CAPEC attack patterns related to this CWE.