CWE-639
AllowedAuthorization Bypass Through User-Controlled Key
Abstraction: Base · Status: Incomplete
The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
3235 vulnerabilities reference this CWE, most recent first.
GHSA-7G8V-P8GP-3MFF
Vulnerability from github – Published: 2024-04-02 00:30 – Updated: 2024-04-02 00:30A vulnerability, which was classified as critical, has been found in SourceCodester Computer Laboratory Management System 1.0. Affected by this issue is the function save_users of the file /classes/Users.php?f=save. The manipulation of the argument id leads to improper authorization. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-258914 is the identifier assigned to this vulnerability.
{
"affected": [],
"aliases": [
"CVE-2024-3139"
],
"database_specific": {
"cwe_ids": [
"CWE-285",
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-04-01T23:15:08Z",
"severity": "MODERATE"
},
"details": "A vulnerability, which was classified as critical, has been found in SourceCodester Computer Laboratory Management System 1.0. Affected by this issue is the function save_users of the file /classes/Users.php?f=save. The manipulation of the argument id leads to improper authorization. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-258914 is the identifier assigned to this vulnerability.",
"id": "GHSA-7g8v-p8gp-3mff",
"modified": "2024-04-02T00:30:47Z",
"published": "2024-04-02T00:30:47Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-3139"
},
{
"type": "WEB",
"url": "https://github.com/Sospiro014/zday1/blob/main/Laboratory_Management_System.md"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.258914"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.258914"
},
{
"type": "WEB",
"url": "https://vuldb.com/?submit.308207"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-7GRX-3XCX-2XV5
Vulnerability from github – Published: 2026-03-20 20:47 – Updated: 2026-06-06 00:56Summary
The /api/v1/files/images/{flow_id}/{file_name} endpoint serves image files without any authentication or ownership check. Any unauthenticated request with a known flow_id and file_name returns the image with HTTP 200.
Details
src/backend/base/langflow/api/v1/files.py:138-164 — download_image takes flow_id: UUID as a bare path parameter with no Depends(get_flow) or CurrentActiveUser. All other file routes (download_file, upload_file, list_files, delete_file) use Depends(get_flow) which enforces both authentication and ownership. There is no global auth middleware on /api/v1; protection is per-endpoint only.
PoC
curl -v "http://localhost:7860/api/v1/files/images/<flow_uuid>/<filename.png>"
# Returns HTTP 200 with image bytes, no auth header required
Impact
Unauthenticated cross-tenant data leak. In a multi-tenant deployment, any attacker who can discover or guess a flow_id (UUIDs can be leaked through other API responses) can download any user's uploaded images without credentials.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "langflow"
},
"ranges": [
{
"events": [
{
"introduced": "1.0.0"
},
{
"fixed": "1.9.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-33484"
],
"database_specific": {
"cwe_ids": [
"CWE-284",
"CWE-639",
"CWE-862"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-20T20:47:10Z",
"nvd_published_at": "2026-03-24T14:16:30Z",
"severity": "HIGH"
},
"details": "### Summary\nThe `/api/v1/files/images/{flow_id}/{file_name}` endpoint serves image files without any authentication or ownership check. Any unauthenticated request with a known flow_id and file_name returns the image with HTTP 200.\n\n### Details\n`src/backend/base/langflow/api/v1/files.py:138-164` \u2014 `download_image` takes `flow_id`: UUID as a bare path parameter with no Depends(get_flow) or `CurrentActiveUser`. All other file routes (`download_file`, `upload_file`, `list_files`, `delete_file`) use `Depends(get_flow)` which enforces both authentication and ownership. There is no global auth middleware on /api/v1; protection is per-endpoint only.\n\n### PoC\n```\ncurl -v \"http://localhost:7860/api/v1/files/images/\u003cflow_uuid\u003e/\u003cfilename.png\u003e\"\n# Returns HTTP 200 with image bytes, no auth header required\n```\n\n### Impact\nUnauthenticated cross-tenant data leak. In a multi-tenant deployment, any attacker who can discover or guess a `flow_id` (UUIDs can be leaked through other API responses) can download any user\u0027s uploaded images without credentials.",
"id": "GHSA-7grx-3xcx-2xv5",
"modified": "2026-06-06T00:56:13Z",
"published": "2026-03-20T20:47:10Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/langflow-ai/langflow/security/advisories/GHSA-7grx-3xcx-2xv5"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33484"
},
{
"type": "PACKAGE",
"url": "https://github.com/langflow-ai/langflow"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/langflow/PYSEC-2026-80.yaml"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "langflow has Unauthenticated IDOR on Image Downloads"
}
GHSA-7H53-73G8-FJVR
Vulnerability from github – Published: 2026-03-31 12:31 – Updated: 2026-04-13 15:31Insecure Direct Object Reference (IDOR) vulnerability in 1millionbot Millie chat that allows private conversations of other users being viewed by simply changing the conversation ID. The vulnerability is present in the endpoint 'api.1millionbot.com/api/public/conversations/' and, if exploited, could allow a remote attacker to access other users private chatbot conversations, revealing sensitive or confidential data without requiring credentials or impersonating users. In order for the vulnerability to be exploited, the attacker must have the user's conversation ID.
{
"affected": [],
"aliases": [
"CVE-2026-4400"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-31T11:16:14Z",
"severity": "HIGH"
},
"details": "Insecure Direct Object Reference (IDOR) vulnerability in 1millionbot Millie chat that allows private conversations of other users being viewed by simply changing the conversation ID. The vulnerability is present in the endpoint \u0027api.1millionbot.com/api/public/conversations/\u0027 and, if exploited, could allow a remote attacker to access other users private chatbot conversations, revealing sensitive or confidential data without requiring credentials or impersonating users. In order for the vulnerability to be exploited, the attacker must have the user\u0027s conversation ID.",
"id": "GHSA-7h53-73g8-fjvr",
"modified": "2026-04-13T15:31:07Z",
"published": "2026-03-31T12:31:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-4400"
},
{
"type": "WEB",
"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-1millionbot-millie-chatbot"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-7HCJ-3P5P-49GH
Vulnerability from github – Published: 2025-09-03 15:30 – Updated: 2026-04-01 18:36Authorization Bypass Through User-Controlled Key vulnerability in Tomdever wpForo Forum allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects wpForo Forum: from n/a through 2.4.6.
{
"affected": [],
"aliases": [
"CVE-2025-58597"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-09-03T15:15:40Z",
"severity": "MODERATE"
},
"details": "Authorization Bypass Through User-Controlled Key vulnerability in Tomdever wpForo Forum allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects wpForo Forum: from n/a through 2.4.6.",
"id": "GHSA-7hcj-3p5p-49gh",
"modified": "2026-04-01T18:36:02Z",
"published": "2025-09-03T15:30:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-58597"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/wordpress/plugin/wpforo/vulnerability/wordpress-wpforo-forum-plugin-2-4-6-insecure-direct-object-references-idor-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-7HR6-J3QM-7P23
Vulnerability from github – Published: 2022-05-24 19:17 – Updated: 2024-05-14 21:34In Yellowfin before 9.6.1 there is a Stored Cross-Site Scripting vulnerability in the video embed functionality exploitable through a specially crafted HTTP POST request to the page "ActivityStreamAjax.i4".
{
"affected": [],
"aliases": [
"CVE-2021-36387"
],
"database_specific": {
"cwe_ids": [
"CWE-639",
"CWE-79"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-10-14T19:15:00Z",
"severity": "MODERATE"
},
"details": "In Yellowfin before 9.6.1 there is a Stored Cross-Site Scripting vulnerability in the video embed functionality exploitable through a specially crafted HTTP POST request to the page \"ActivityStreamAjax.i4\".",
"id": "GHSA-7hr6-j3qm-7p23",
"modified": "2024-05-14T21:34:39Z",
"published": "2022-05-24T19:17:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-36387"
},
{
"type": "WEB",
"url": "https://cyberaz0r.info/2021/10/yellowfin-multiple-vulnerabilities"
},
{
"type": "WEB",
"url": "https://github.com/cyberaz0r/Yellowfin-Multiple-Vulnerabilities/blob/main/README.md"
},
{
"type": "WEB",
"url": "https://packetstormsecurity.com/files/164515/Yellowfin-Cross-Site-Scripting-Insecure-Direct-Object-Reference.html"
},
{
"type": "WEB",
"url": "https://wiki.yellowfinbi.com/display/yfcurrent/Release+Notes+for+Yellowfin+9#ReleaseNotesforYellowfin9-Yellowfin9.6"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/164515/Yellowfin-Cross-Site-Scripting-Insecure-Direct-Object-Reference.html"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2021/Oct/15"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-7HV6-GV38-78WJ
Vulnerability from github – Published: 2023-06-02 17:09 – Updated: 2023-06-02 17:09Impact
The api interface for DataEase delete dashboard and delete system messages is vulnerable to IDOR.
The interface to delete the dashboard:
1. Create two users: user1 and user2
2. User1 creates a dashboard named pan1
3. User2 creates a dashboard named pan2
4. Both user1 and user2 share their dashboards with the demo user
5. User1 wants to delete his dashboard. We hijack the request with burpsuite. The request will probably look like this: POST /api/share/removePanelShares/440efa7f-efd8-11ed-bec7-1144724bc08c HTTP/1.1. 440efa7f-efd8-11ed-bec7-1144724bc08c is the ID of pan1
6. We replace this ID with the ID of pan2 and continue the execution (i.e. we delete the shares of others)
7. Successfully remove the shared link

The interface to delete system messages:
1. Our request to delete a message is shown below
2. We can delete all messages by simply enumerating the message ID, regardless of whether the message belongs to the requester or not.
3. The interface for marking read messages is also affected
Affected versions: <= 1.18.6
Patches
The vulnerability has been fixed in v1.18.7.
Workarounds
It is recommended to upgrade the version to v1.18.7.
References
If you have any questions or comments about this advisory:
Open an issue in https://github.com/dataease/dataease Email us at wei@fit2cloud.com
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.18.6"
},
"package": {
"ecosystem": "Maven",
"name": "io.dataease:dataease-plugin-common"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.18.7"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-32310"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": true,
"github_reviewed_at": "2023-06-02T17:09:17Z",
"nvd_published_at": "2023-06-01T16:15:09Z",
"severity": "HIGH"
},
"details": "### Impact\nThe api interface for DataEase delete dashboard and delete system messages is vulnerable to IDOR.\n\nThe interface to delete the dashboard:\n1. Create two users: user1 and user2\n2. User1 creates a dashboard named pan1\n3. User2 creates a dashboard named pan2\n4. Both user1 and user2 share their dashboards with the demo user\n5. User1 wants to delete his dashboard. We hijack the request with burpsuite. The request will probably look like this: POST /api/share/removePanelShares/440efa7f-efd8-11ed-bec7-1144724bc08c HTTP/1.1. 440efa7f-efd8-11ed-bec7-1144724bc08c is the ID of pan1\n6. We replace this ID with the ID of pan2 and continue the execution (i.e. we delete the shares of others)\n7. Successfully remove the shared link\n\n\nThe interface to delete system messages:\n1. Our request to delete a message is shown below\n\n2. We can delete all messages by simply enumerating the message ID, regardless of whether the message belongs to the requester or not.\n3. The interface for marking read messages is also affected\n\nAffected versions: \u003c= 1.18.6\n\n### Patches\nThe vulnerability has been fixed in v1.18.7.\n\n### Workarounds\nIt is recommended to upgrade the version to v1.18.7.\n\n### References\nIf you have any questions or comments about this advisory:\n\nOpen an issue in https://github.com/dataease/dataease\nEmail us at [wei@fit2cloud.com](mailto:wei@fit2cloud.com)\n",
"id": "GHSA-7hv6-gv38-78wj",
"modified": "2023-06-02T17:09:17Z",
"published": "2023-06-02T17:09:17Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/dataease/dataease/security/advisories/GHSA-7hv6-gv38-78wj"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-32310"
},
{
"type": "WEB",
"url": "https://github.com/dataease/dataease/pull/5342"
},
{
"type": "WEB",
"url": "https://github.com/dataease/dataease/commit/72f428e87b5395c03d2f94ef6185fc247ddbc8dc"
},
{
"type": "PACKAGE",
"url": "https://github.com/dataease/dataease"
},
{
"type": "WEB",
"url": "https://github.com/dataease/dataease/releases/tag/v1.18.7"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "DataEase API interface has IDOR vulnerability"
}
GHSA-7J9F-FW49-X4P8
Vulnerability from github – Published: 2023-01-03 00:30 – Updated: 2023-01-09 21:30The BookingPress WordPress plugin before 1.0.31 suffers from an Insecure Direct Object Reference (IDOR) vulnerability in it's thank you page, allowing any visitor to display information about any booking, including full name, date, time and service booked, by manipulating the appointment_id query parameter.
{
"affected": [],
"aliases": [
"CVE-2022-4340"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-01-02T22:15:00Z",
"severity": "MODERATE"
},
"details": "The BookingPress WordPress plugin before 1.0.31 suffers from an Insecure Direct Object Reference (IDOR) vulnerability in it\u0027s thank you page, allowing any visitor to display information about any booking, including full name, date, time and service booked, by manipulating the appointment_id query parameter.",
"id": "GHSA-7j9f-fw49-x4p8",
"modified": "2023-01-09T21:30:21Z",
"published": "2023-01-03T00:30:44Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-4340"
},
{
"type": "WEB",
"url": "https://wpscan.com/vulnerability/8a7bd9f6-2789-474b-a237-01c643fdfba7"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-7JCV-RMG2-JM39
Vulnerability from github – Published: 2025-04-15 21:31 – Updated: 2025-04-15 21:31An unauthenticated attacker can infer the existence of usernames in the system by querying an API.
{
"affected": [],
"aliases": [
"CVE-2025-24487"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-04-15T21:15:54Z",
"severity": "MODERATE"
},
"details": "An unauthenticated attacker can infer the existence of usernames in the system by querying an API.",
"id": "GHSA-7jcv-rmg2-jm39",
"modified": "2025-04-15T21:31:45Z",
"published": "2025-04-15T21:31:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-24487"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-105-04"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-7JWW-FM5P-PJ92
Vulnerability from github – Published: 2022-11-17 03:30 – Updated: 2022-11-21 18:30An issue was discovered in BACKCLICK Professional 5.9.63. Due to the use of consecutive IDs in verification links, the newsletter sign-up functionality is vulnerable to the enumeration of subscribers' e-mail addresses. Furthermore, it is possible to subscribe and verify other persons' e-mail addresses to newsletters without their consent.
{
"affected": [],
"aliases": [
"CVE-2022-44005"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-11-16T23:15:00Z",
"severity": "MODERATE"
},
"details": "An issue was discovered in BACKCLICK Professional 5.9.63. Due to the use of consecutive IDs in verification links, the newsletter sign-up functionality is vulnerable to the enumeration of subscribers\u0027 e-mail addresses. Furthermore, it is possible to subscribe and verify other persons\u0027 e-mail addresses to newsletters without their consent.",
"id": "GHSA-7jww-fm5p-pj92",
"modified": "2022-11-21T18:30:37Z",
"published": "2022-11-17T03:30:50Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-44005"
},
{
"type": "WEB",
"url": "https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2022-026.txt"
},
{
"type": "WEB",
"url": "https://www.syss.de/pentest-blog/vielfaeltige-schwachstellen-in-backclick-professional-syss-2022-026-bis-037"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-7JX5-9FJG-HP4M
Vulnerability from github – Published: 2026-02-27 22:08 – Updated: 2026-03-30 13:44Vulnerability Summary
The OpenClaw ACP client could auto-approve tool calls based on untrusted metadata and permissive name heuristics. A malicious or compromised ACP tool invocation could bypass expected interactive approval prompts for read-class operations.
Affected Packages / Versions
- Package: npm
openclaw - Affected published versions:
<= 2026.2.22-2(latest published as of February 24, 2026 is2026.2.22-2) - Patched in code on
main:2026.2.23(released)
Technical Details
- Permission classification trusted incoming
toolCall.kindand heuristic name matching. - Non-core read-like names and spoofed kind metadata could reach auto-approve paths.
readoperations were not scoped strongly enough to cwd in all metadata/title forms.
Fix
- Require trusted core tool IDs for auto-approval and ignore untrusted
toolCall.kindas an authorization source. - Scope
readauto-approval to cwd-resolved paths. - Add stricter tool-name validation and regression coverage for spoofed kind and non-core read-like names.
Affected Functions
resolvePermissionRequestresolveToolNameForPermissionshouldAutoApproveToolCall
Fix Commit(s)
12cc754332f9a7c92e158ce7644aa22df79c090463dcd28ae0be2de1c75af09cc81841cebeec068f
Found using MCPwner
Thanks @nedlir for reporting.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2026.2.22-2"
},
"package": {
"ecosystem": "npm",
"name": "openclaw"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2026.2.23"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-32898"
],
"database_specific": {
"cwe_ids": [
"CWE-639",
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2026-02-27T22:08:36Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "## Vulnerability Summary\n\nThe OpenClaw ACP client could auto-approve tool calls based on untrusted metadata and permissive name heuristics. A malicious or compromised ACP tool invocation could bypass expected interactive approval prompts for read-class operations.\n\n## Affected Packages / Versions\n\n- Package: npm `openclaw`\n- Affected published versions: `\u003c= 2026.2.22-2` (latest published as of February 24, 2026 is `2026.2.22-2`)\n- Patched in code on `main`: `2026.2.23` (released)\n\n## Technical Details\n\n- Permission classification trusted incoming `toolCall.kind` and heuristic name matching.\n- Non-core read-like names and spoofed kind metadata could reach auto-approve paths.\n- `read` operations were not scoped strongly enough to cwd in all metadata/title forms.\n\n## Fix\n\n- Require trusted core tool IDs for auto-approval and ignore untrusted `toolCall.kind` as an authorization source.\n- Scope `read` auto-approval to cwd-resolved paths.\n- Add stricter tool-name validation and regression coverage for spoofed kind and non-core read-like names.\n\n## Affected Functions\n\n- `resolvePermissionRequest`\n- `resolveToolNameForPermission`\n- `shouldAutoApproveToolCall`\n\n## Fix Commit(s)\n\n- `12cc754332f9a7c92e158ce7644aa22df79c0904`\n- `63dcd28ae0be2de1c75af09cc81841cebeec068f`\n\nFound using [MCPwner](https://github.com/Pigyon/MCPwner)\n\n\nThanks @nedlir for reporting.",
"id": "GHSA-7jx5-9fjg-hp4m",
"modified": "2026-03-30T13:44:47Z",
"published": "2026-02-27T22:08:36Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-7jx5-9fjg-hp4m"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32898"
},
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/commit/12cc754332f9a7c92e158ce7644aa22df79c0904"
},
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/commit/63dcd28ae0be2de1c75af09cc81841cebeec068f"
},
{
"type": "PACKAGE",
"url": "https://github.com/openclaw/openclaw"
},
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/releases/tag/v2026.2.23"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/openclaw-acp-permission-auto-approval-bypass-via-untrusted-tool-metadata"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "OpenClaw ACP client has permission auto-approval bypass via untrusted tool metadata"
}
Mitigation
For each and every data access, ensure that the user has sufficient privilege to access the record that is being requested.
Mitigation
Make sure that the key that is used in the lookup of a specific user's record is not controllable externally by the user or that any tampering can be detected.
Mitigation
Use encryption in order to make it more difficult to guess other legitimate values of the key or associate a digital signature with the key so that the server can verify that there has been no tampering.
No CAPEC attack patterns related to this CWE.