Common Weakness Enumeration

CWE-672

Allowed-with-Review

Operation on a Resource after Expiration or Release

Abstraction: Class · Status: Draft

The product uses, accesses, or otherwise operates on a resource after that resource has been expired, released, or revoked.

119 vulnerabilities reference this CWE, most recent first.

GHSA-W3Q8-M492-4PWP

Vulnerability from github – Published: 2024-02-20 19:26 – Updated: 2024-02-20 19:26
VLAI
Summary
Possibility to circumvent the invitation token expiry period
Details

Impact

The invites feature allows users to accept the invitation for an unlimited amount of time through the password reset functionality.

When using the password reset functionality, the devise_invitable gem always accepts the pending invitation if the user has been invited as shown in this piece of code within the devise_invitable gem: https://github.com/scambra/devise_invitable/blob/41f58970ff76fb64382a9b9ea1bd530f7c3adab2/lib/devise_invitable/models.rb#L198

The only check done here is if the user has been invited but the code does not ensure that the pending invitation is still valid as defined by the invite_for expiry period as explained in the gem's documentation: https://github.com/scambra/devise_invitable#model-configuration-

invite_for: The period the generated invitation token is valid. After this period, the invited resource won’t be able to accept the invitation. When invite_for is 0 (the default), the invitation won’t expire.

Decidim sets this configuration to 2.weeks so this configuration should be respected: https://github.com/decidim/decidim/blob/d2d390578050772d1bdb6d731395f1afc39dcbfc/decidim-core/config/initializers/devise.rb#L134

The bug is in the devise_invitable gem and should be fixed there and the dependency should be upgraded in Decidim once the fix becomes available.

Patches

Update devise_invitable to version 2.0.9 or above by running the following command:

$ bundle update devise_invitable

Workarounds

The invitations can be cancelled directly from the database by running the following command from the Rails console:

> Decidim::User.invitation_not_accepted.update_all(invitation_token: nil)

References

OWASP ASVS V4.0.3-2.3.1

This bug has existed in the devise_invitable gem since this commit which was first included in the v0.4.rc3 release of this gem: https://github.com/scambra/devise_invitable/commit/94d859c7de0829bf63f679ae5dd3cab2b866a098

All versions since then are affected.

This gem was first introduced at its version ~> 1.7.0 to the decidim-admin gem in this commit which was first included in the v0.0.1.alpha3 release of Decidim: https://github.com/decidim/decidim/commit/073e60e2e4224dd81815a784002ebba30f2ebb34

It was first introduced at its version ~> 1.7.0 to the decidim-system gem in this commit which was also first included in the v0.0.1.alpha3 release of Decidim: https://github.com/decidim/decidim/commit/b12800717a689c295a9ea680a38ca9f823d2c454

Credits

This issue was discovered in City of Helsinki's security audit against Decidim 0.27 done during September 2023. The security audit was implemented by Deloitte Finland.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "decidim"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.0.1.alpha3"
            },
            {
              "fixed": "0.26.9"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "decidim-admin"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.0.1.alpha3"
            },
            {
              "fixed": "0.26.9"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "decidim-system"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.0.1.alpha3"
            },
            {
              "fixed": "0.26.9"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "devise_invitable"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.4.rc3"
            },
            {
              "fixed": "2.0.9"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "decidim"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.27.0"
            },
            {
              "fixed": "0.27.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "decidim-admin"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.27.0"
            },
            {
              "fixed": "0.27.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "decidim-system"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.27.0"
            },
            {
              "fixed": "0.27.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-48220"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-672"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-02-20T19:26:51Z",
    "nvd_published_at": "2024-02-20T18:15:50Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\nThe invites feature allows users to accept the invitation for an unlimited amount of time through the password reset functionality.\n\nWhen using the password reset functionality, the `devise_invitable` gem always accepts the pending invitation if the user has been invited as shown in this piece of code within the `devise_invitable` gem:\nhttps://github.com/scambra/devise_invitable/blob/41f58970ff76fb64382a9b9ea1bd530f7c3adab2/lib/devise_invitable/models.rb#L198\n\nThe only check done here is if the user has been invited but the code does not ensure that the pending invitation is still valid as defined by the `invite_for` expiry period as explained in the gem\u0027s documentation:\nhttps://github.com/scambra/devise_invitable#model-configuration-\n\n\u003e `invite_for`: The period the generated invitation token is valid. After this period, the invited resource won\u2019t be able to accept the invitation. When `invite_for` is `0` (the default), the invitation won\u2019t expire.\n\nDecidim sets this configuration to `2.weeks` so this configuration should be respected:\nhttps://github.com/decidim/decidim/blob/d2d390578050772d1bdb6d731395f1afc39dcbfc/decidim-core/config/initializers/devise.rb#L134\n\nThe bug is in the `devise_invitable` gem and should be fixed there and the dependency should be upgraded in Decidim once the fix becomes available.\n\n### Patches\nUpdate `devise_invitable` to version `2.0.9` or above by running the following command:\n\n```\n$ bundle update devise_invitable\n```\n\n### Workarounds\nThe invitations can be cancelled directly from the database by running the following command from the Rails console:\n\n```\n\u003e Decidim::User.invitation_not_accepted.update_all(invitation_token: nil)\n```\n\n### References\nOWASP ASVS V4.0.3-2.3.1\n\nThis bug has existed in the `devise_invitable` gem since this commit which was first included in the `v0.4.rc3` release of this gem:\nhttps://github.com/scambra/devise_invitable/commit/94d859c7de0829bf63f679ae5dd3cab2b866a098\n\nAll versions since then are affected.\n\nThis gem was first introduced at its version `~\u003e 1.7.0` to the `decidim-admin` gem in this commit which was first included in the `v0.0.1.alpha3` release of Decidim:\nhttps://github.com/decidim/decidim/commit/073e60e2e4224dd81815a784002ebba30f2ebb34\n\nIt was first introduced at its version `~\u003e 1.7.0` to the `decidim-system` gem in this commit which was also first included in the `v0.0.1.alpha3` release of Decidim:\nhttps://github.com/decidim/decidim/commit/b12800717a689c295a9ea680a38ca9f823d2c454\n\n### Credits\nThis issue was discovered in City of Helsinki\u0027s security audit against Decidim 0.27 done during September 2023. The security audit was implemented by [Deloitte Finland](https://www2.deloitte.com/fi/fi.html).",
  "id": "GHSA-w3q8-m492-4pwp",
  "modified": "2024-02-20T19:26:51Z",
  "published": "2024-02-20T19:26:51Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/decidim/decidim/security/advisories/GHSA-w3q8-m492-4pwp"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-48220"
    },
    {
      "type": "WEB",
      "url": "https://github.com/decidim/decidim/commit/073e60e2e4224dd81815a784002ebba30f2ebb34"
    },
    {
      "type": "WEB",
      "url": "https://github.com/decidim/decidim/commit/b12800717a689c295a9ea680a38ca9f823d2c454"
    },
    {
      "type": "WEB",
      "url": "https://github.com/scambra/devise_invitable/commit/94d859c7de0829bf63f679ae5dd3cab2b866a098"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/decidim/decidim"
    },
    {
      "type": "WEB",
      "url": "https://github.com/decidim/decidim/blob/d2d390578050772d1bdb6d731395f1afc39dcbfc/decidim-core/config/initializers/devise.rb#L134"
    },
    {
      "type": "WEB",
      "url": "https://github.com/decidim/decidim/releases/tag/v0.26.9"
    },
    {
      "type": "WEB",
      "url": "https://github.com/decidim/decidim/releases/tag/v0.27.5"
    },
    {
      "type": "WEB",
      "url": "https://github.com/decidim/decidim/releases/tag/v0.28.0"
    },
    {
      "type": "WEB",
      "url": "https://github.com/scambra/devise_invitable/blob/41f58970ff76fb64382a9b9ea1bd530f7c3adab2/lib/devise_invitable/models.rb#L198"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Possibility to circumvent the invitation token expiry period"
}

GHSA-W553-M7X7-P3HJ

Vulnerability from github – Published: 2022-05-24 17:27 – Updated: 2025-10-14 15:31
VLAI
Details

ForLogic Qualiex v1 and v3 has weak token expiration. This allows remote unauthenticated privilege escalation and access to sensitive data via token reuse.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-24030"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-672"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-09-02T17:15:00Z",
    "severity": "HIGH"
  },
  "details": "ForLogic Qualiex v1 and v3 has weak token expiration. This allows remote unauthenticated privilege escalation and access to sensitive data via token reuse.",
  "id": "GHSA-w553-m7x7-p3hj",
  "modified": "2025-10-14T15:31:19Z",
  "published": "2022-05-24T17:27:13Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-24030"
    },
    {
      "type": "WEB",
      "url": "https://github.com/underprotection/CVE-2020-24030"
    },
    {
      "type": "WEB",
      "url": "https://qualiex.com"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WC9C-RV2V-442R

Vulnerability from github – Published: 2024-05-21 15:31 – Updated: 2025-06-23 21:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

netrom: Decrease sock refcount when sock timers expire

Commit 63346650c1a9 ("netrom: switch to sock timer API") switched to use sock timer API. It replaces mod_timer() by sk_reset_timer(), and del_timer() by sk_stop_timer().

Function sk_reset_timer() will increase the refcount of sock if it is called on an inactive timer, hence, in case the timer expires, we need to decrease the refcount ourselves in the handler, otherwise, the sock refcount will be unbalanced and the sock will never be freed.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-47294"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-672"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-05-21T15:15:17Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetrom: Decrease sock refcount when sock timers expire\n\nCommit 63346650c1a9 (\"netrom: switch to sock timer API\") switched to use\nsock timer API. It replaces mod_timer() by sk_reset_timer(), and\ndel_timer() by sk_stop_timer().\n\nFunction sk_reset_timer() will increase the refcount of sock if it is\ncalled on an inactive timer, hence, in case the timer expires, we need to\ndecrease the refcount ourselves in the handler, otherwise, the sock\nrefcount will be unbalanced and the sock will never be freed.",
  "id": "GHSA-wc9c-rv2v-442r",
  "modified": "2025-06-23T21:31:21Z",
  "published": "2024-05-21T15:31:41Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-47294"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/25df44e90ff5959b5c24ad361b648504a7e39ef3"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/48866fd5c361ea417ed24b43fc2a7dc2f5b060ef"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/517a16b1a88bdb6b530f48d5d153478b2552d9a8"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/6811744bd0efb9e472cb15d066cdb460beb8cb8a"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/853262355518cd1247515b74e83fabf038aa6c29"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/9619cc7d97c3aa8ed3cfd2b8678b74fb6d6c7950"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/a01634bf91f2b6c42583770eb6815fb6d1e251cf"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/bc1660206c3723c37ed4d622ad81781f1e987250"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WQPG-FCG8-GQ9P

Vulnerability from github – Published: 2022-04-03 00:01 – Updated: 2022-04-10 00:01
VLAI
Details

Philips Vue PACS versions 12.2.x.x and prior uses a cryptographic key or password past its expiration date, which diminishes its safety significantly by increasing the timing window for cracking attacks against that key.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-33020"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-311",
      "CWE-324",
      "CWE-672"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-04-01T23:15:00Z",
    "severity": "HIGH"
  },
  "details": "Philips Vue PACS versions 12.2.x.x and prior uses a cryptographic key or password past its expiration date, which diminishes its safety significantly by increasing the timing window for cracking attacks against that key.",
  "id": "GHSA-wqpg-fcg8-gq9p",
  "modified": "2022-04-10T00:01:05Z",
  "published": "2022-04-03T00:01:01Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-33020"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/uscert/ics/advisories/icsma-21-187-01"
    },
    {
      "type": "WEB",
      "url": "http://www.philips.com/productsecurity"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WWW9-GRM3-8MC4

Vulnerability from github – Published: 2024-05-22 21:30 – Updated: 2024-05-22 21:30
VLAI
Details

IBM App Connect Enterprise 12.0.1.0 through 12.0.12.1 could allow an authenticated user to obtain sensitive user information using an expired access token. IBM X-Force ID: 288176.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-31895"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-324",
      "CWE-672"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-05-22T20:15:09Z",
    "severity": "MODERATE"
  },
  "details": "IBM App Connect Enterprise 12.0.1.0 through 12.0.12.1 could allow an authenticated user to obtain sensitive user information using an expired access token.  IBM X-Force ID:  288176.",
  "id": "GHSA-www9-grm3-8mc4",
  "modified": "2024-05-22T21:30:35Z",
  "published": "2024-05-22T21:30:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-31895"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/288176"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/7154606"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WXWG-596P-G8JJ

Vulnerability from github – Published: 2025-11-10 15:31 – Updated: 2025-11-10 15:31
VLAI
Details

In JetBrains YouTrack before 2025.3.104432 missing user principal cleanup led to reuse of incorrect authorization context

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-64686"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-672"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-11-10T14:15:44Z",
    "severity": "LOW"
  },
  "details": "In JetBrains YouTrack before 2025.3.104432 missing user principal cleanup led to reuse of incorrect authorization context",
  "id": "GHSA-wxwg-596p-g8jj",
  "modified": "2025-11-10T15:31:05Z",
  "published": "2025-11-10T15:31:05Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-64686"
    },
    {
      "type": "WEB",
      "url": "https://www.jetbrains.com/privacy-security/issues-fixed"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-X34G-7F63-J8QP

Vulnerability from github – Published: 2023-02-27 21:30 – Updated: 2023-03-08 18:30
VLAI
Details

An issue with app access to camera data was addressed with improved logic. This issue is fixed in macOS Ventura 13. A camera extension may be able to continue receiving video after the app which activated was closed.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-42838"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-672"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-02-27T20:15:00Z",
    "severity": "LOW"
  },
  "details": "An issue with app access to camera data was addressed with improved logic. This issue is fixed in macOS Ventura 13. A camera extension may be able to continue receiving video after the app which activated was closed.",
  "id": "GHSA-x34g-7f63-j8qp",
  "modified": "2023-03-08T18:30:26Z",
  "published": "2023-02-27T21:30:19Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42838"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/HT213488"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-X3RH-M7VP-35F2

Vulnerability from github – Published: 2020-08-05 14:52 – Updated: 2021-06-15 18:11
VLAI
Summary
Operation on a Resource after Expiration or Release in Jetty Server
Details

In Eclipse Jetty, versions 9.4.27.v20200227 to 9.4.29.v20200521, in case of too large response headers, Jetty throws an exception to produce an HTTP 431 error. When this happens, the ByteBuffer containing the HTTP response headers is released back to the ByteBufferPool twice. Because of this double release, two threads can acquire the same ByteBuffer from the pool and while thread1 is about to use the ByteBuffer to write response1 data, thread2 fills the ByteBuffer with response2 data. Thread1 then proceeds to write the buffer that now contains response2 data. This results in client1, which issued request1 and expects responses, to see response2 which could contain sensitive data belonging to client2 (HTTP session ids, authentication credentials, etc.).

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 9.4.30.v20200610"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.eclipse.jetty:jetty-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "9.4.27"
            },
            {
              "fixed": "9.4.30.v20200611"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2019-17638"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-672",
      "CWE-675"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-08-03T20:11:29Z",
    "nvd_published_at": "2020-07-09T18:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "In Eclipse Jetty, versions 9.4.27.v20200227 to 9.4.29.v20200521, in case of too large response headers, Jetty throws an exception to produce an HTTP 431 error. When this happens, the ByteBuffer containing the HTTP response headers is released back to the ByteBufferPool twice. Because of this double release, two threads can acquire the same ByteBuffer from the pool and while thread1 is about to use the ByteBuffer to write response1 data, thread2 fills the ByteBuffer with response2 data. Thread1 then proceeds to write the buffer that now contains response2 data. This results in client1, which issued request1 and expects responses, to see response2 which could contain sensitive data belonging to client2 (HTTP session ids, authentication credentials, etc.).",
  "id": "GHSA-x3rh-m7vp-35f2",
  "modified": "2021-06-15T18:11:20Z",
  "published": "2020-08-05T14:52:59Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-17638"
    },
    {
      "type": "WEB",
      "url": "https://github.com/eclipse/jetty.project/issues/4936"
    },
    {
      "type": "WEB",
      "url": "https://github.com/eclipse/jetty.project/commit/ff8ae56fa939c3477a0cdd1ff56ce3d902f08fba"
    },
    {
      "type": "WEB",
      "url": "https://www.oracle.com/security-alerts/cpuoct2020.html"
    },
    {
      "type": "WEB",
      "url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
    },
    {
      "type": "WEB",
      "url": "https://snyk.io/vuln/SNYK-JAVA-ORGECLIPSEJETTY-575561"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XE6US6VPZHOWFMUSFGDS5V2DNQPY5MKB"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/rd98cfd012490cb02caa1a11aaa0cc38bff2d43bcce9b20c2f01063dd@%3Ccommits.pulsar.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/rd0e44e8ef71eeaaa3cf3d1b8b41eb25894372e2995ec908ce7624d26@%3Ccommits.pulsar.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/rbe1f230e87ea947593145d0072d0097ddb0af10fee1161db8ca1546c@%3Ccommits.pulsar.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/ra8661fc8c69c647cb06153c1485d48484a833d873f75dfe45937e9de@%3Ccommits.pulsar.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r9a2cfa56d30782a0c17a5deb951a622d1f5c8de48e1c3b578ffc2a84@%3Ccommits.pulsar.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r9584c4304c888f651d214341a939bd264ed30c9e3d0d30fe85097ecf@%3Ccommits.pulsar.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r81f58591fb4716fb867b36956f30c7c8ad4ab3f23abc952d9d86a2a0@%3Ccommits.pulsar.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r7fc5f2ed49641ea91c433e3cd0fc3d31c0278c87b82b15c33b881415@%3Ccommits.pulsar.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r521168299e023fb075b57afe33d17ff1d09e8a10e0fd8c775ea0e028@%3Ccommits.pulsar.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r4bdd3f7bb6820a79f9416b6667d718a06d269018619a75ce4b759318@%3Ccommits.pulsar.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r378e4cdec15e132575aa1dcb6296ffeff2a896745a8991522e266ad4@%3Ccommits.pulsar.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r29073905dc9139d0d7a146595694bf57bb9e35e5ec6aa73eb9c8443a@%3Ccommits.pulsar.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://bugs.eclipse.org/bugs/show_bug.cgi?id=564984"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2020/08/17/1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Operation on a Resource after Expiration or Release in Jetty Server"
}

GHSA-XMXX-7P24-H892

Vulnerability from github – Published: 2026-04-17 22:32 – Updated: 2026-05-12 13:35
VLAI
Summary
OpenClaw: Gateway HTTP endpoints re-resolve bearer auth after SecretRef rotation
Details

Summary

Gateway HTTP and WebSocket handlers captured the resolved bearer-auth configuration when the server started. After a SecretRef rotation, the already-running gateway could continue accepting the old bearer token until restart.

Impact

A bearer token that should have been revoked by SecretRef rotation could remain valid on the gateway HTTP and upgrade surfaces for the lifetime of the process. Severity remains high because the old token could continue to authorize gateway requests after operators believed it was rotated out.

Affected versions

  • Affected: < 2026.4.15
  • Patched: 2026.4.15

Fix

OpenClaw 2026.4.15 resolves active gateway auth from the runtime secret snapshot per request and per upgrade instead of using a stale startup-time value.

Verified in v2026.4.15:

  • src/gateway/server.impl.ts exposes getResolvedAuth() backed by the current runtime secret snapshot.
  • src/gateway/server-http.ts calls getResolvedAuth() for each HTTP request and WebSocket upgrade before running auth checks.
  • src/gateway/server-http.probe.test.ts verifies /ready re-resolves bearer auth after rotation and rejects the old token.

Fix commit included in v2026.4.15 and absent from v2026.4.14:

  • acd4e0a32f12e1ad85f3130f63b42443ce90f094 via PR #66651

Thanks to @zsxsoft, Keen Security Lab, and @qclawer for reporting this issue.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "openclaw"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2026.4.15"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-43585"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-324",
      "CWE-672"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-17T22:32:02Z",
    "nvd_published_at": null,
    "severity": "CRITICAL"
  },
  "details": "## Summary\n\nGateway HTTP and WebSocket handlers captured the resolved bearer-auth configuration when the server started. After a SecretRef rotation, the already-running gateway could continue accepting the old bearer token until restart.\n\n## Impact\n\nA bearer token that should have been revoked by SecretRef rotation could remain valid on the gateway HTTP and upgrade surfaces for the lifetime of the process. Severity remains high because the old token could continue to authorize gateway requests after operators believed it was rotated out.\n\n## Affected versions\n\n- Affected: `\u003c 2026.4.15`\n- Patched: `2026.4.15`\n\n## Fix\n\nOpenClaw `2026.4.15` resolves active gateway auth from the runtime secret snapshot per request and per upgrade instead of using a stale startup-time value.\n\nVerified in `v2026.4.15`:\n\n- `src/gateway/server.impl.ts` exposes `getResolvedAuth()` backed by the current runtime secret snapshot.\n- `src/gateway/server-http.ts` calls `getResolvedAuth()` for each HTTP request and WebSocket upgrade before running auth checks.\n- `src/gateway/server-http.probe.test.ts` verifies `/ready` re-resolves bearer auth after rotation and rejects the old token.\n\nFix commit included in `v2026.4.15` and absent from `v2026.4.14`:\n\n- `acd4e0a32f12e1ad85f3130f63b42443ce90f094` via PR #66651\n\nThanks to @zsxsoft, Keen Security Lab, and @qclawer for reporting this issue.",
  "id": "GHSA-xmxx-7p24-h892",
  "modified": "2026-05-12T13:35:23Z",
  "published": "2026-04-17T22:32:02Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-xmxx-7p24-h892"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-43585"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/pull/66651"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/commit/acd4e0a32f12e1ad85f3130f63b42443ce90f094"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/openclaw/openclaw"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/openclaw-bearer-token-validation-bypass-via-stale-secretref-resolution"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "OpenClaw: Gateway HTTP endpoints re-resolve bearer auth after SecretRef rotation"
}

No mitigation information available for this CWE.

No CAPEC attack patterns related to this CWE.