By weakness (CWE)

CWE-863: related vulnerabilities

CVEs classified under CWE-863. Understanding the weakness class helps prioritize systemic fixes over one-off patches.

18 published vulnerabilities

  • CVE-2026-35674HIGH 8.8

    OpenClaw versions before 2026.5.18 contain a privilege escalation flaw in their chat messaging system. An attacker with basic operator permissions can bypass security controls meant to restrict high-risk actions—such as modifying plugins, configurations, or access policies—by sending commands through internal message routes. This allows someone with limited access to act as if they have full administrative privileges.

  • CVE-2026-35482HIGH 8.0

    alf.io, an open-source ticketing platform for conferences and events, contains a critical sandbox escape flaw in its extension script engine. An authenticated administrator can exploit this vulnerability to run arbitrary commands on the server. The flaw stems from an improperly protected Java object exposed to the sandboxed JavaScript environment, combined with gaps in code validation that allow attackers to use Java reflection to break out of the sandbox entirely. This requires administrator credentials to exploit, but once compromised, grants complete control over the underlying server.

  • CVE-2025-32348HIGH 7.8

    CVE-2025-32348 is a privilege escalation vulnerability affecting Android that allows a local attacker to launch background activities without proper permission validation. An attacker with basic user-level access can exploit this flaw to gain elevated privileges on the device—no special capabilities or user interaction required. The vulnerability exists across multiple code paths where permission checks are missing, creating a consistent attack surface.

  • CVE-2026-3514HIGH 7.5

    Prefect version 3.6.19 contains an authentication bypass vulnerability in its health check exemption logic. The system automatically skips authentication for any URL path ending in 'health' or 'ready', a design meant to allow infrastructure monitoring. An attacker can exploit this by creating resources—such as variables, flows, work pools, work queues, or deployments—with names ending in those keywords, then access them without credentials. This can expose sensitive secrets like API keys and database passwords that are stored in Prefect Variables.

  • CVE-2025-14774HIGH 7.4

    CVE-2025-14774 is a flaw in ABB T-MAC Plus (version 4.0-24) where access control is not properly enforced, allowing an attacker on the same network to disrupt system availability without needing credentials or user interaction. The vulnerability has a CVSS score of 7.4 (HIGH) and is classified as an incorrect authorization issue.

  • CVE-2026-10860MEDIUM 6.5

    CVE-2026-10860 is a logic error in MISP's delete handler that allows authenticated users to bypass validation checks and delete records they shouldn't be able to. The flaw stems from a missing parenthesis in the conditional logic that evaluates HTTP DELETE requests, causing the validator to be skipped when a DELETE method is used. While an attacker must already be authenticated, they can exploit this to circumvent application-level protections and remove protected data.

  • CVE-2026-35673MEDIUM 6.5

    OpenClaw versions before 2026.4.29 contain a Server-Side Request Forgery (SSRF) policy bypass that allows authenticated users to circumvent network security controls. The vulnerability exists in browser debug and export functionality, where attackers can reuse previously-blocked tabs to access or export content that should remain restricted by private-network SSRF policies. This is a policy evasion technique rather than a direct network breach—the attacker must already have authenticated access to these routes, but can then leverage that access to reach otherwise-protected resources.

  • CVE-2026-10211MEDIUM 6.3

    AstrBot version 4.23.6 contains a flaw in how it validates file system paths, allowing authenticated users to bypass access restrictions and read, modify, or delete files they shouldn't be able to access. An attacker with valid credentials can exploit this remotely without user interaction. The vulnerability has already been disclosed publicly, and exploit code may be available.

  • CVE-2026-10815MEDIUM 6.3

    A missing authorization vulnerability was discovered in the Hostel Management System PHP application, specifically in the Admin Dashboard Page's index.php file. An authenticated attacker can manipulate the ID parameter to bypass authorization checks, potentially gaining unauthorized access to sensitive administrative functions. The vulnerability requires valid login credentials but does not require user interaction once authenticated. Public exploit code is available, increasing the practical risk.

  • CVE-2026-42998MEDIUM 6.0

    OpenStack Keystone contains an authentication bypass vulnerability in its application credential system. An attacker with valid credentials can request a token while impersonating another user by manipulating the user identity in the authentication request. Keystone fails to validate that the requesting user owns the application credential being used, allowing the attacker to obtain a token attributed to a victim account. The token grants access only to projects shared between the attacker and victim, and only with roles that overlap between both users' permissions, but this is still sufficient for account takeover scenarios and audit trail manipulation.

  • CVE-2026-42999MEDIUM 6.0

    OpenStack Keystone contains a critical authorization bypass vulnerability that allows any authenticated user to escalate their privileges and access resources belonging to other users or projects. The vulnerability stems from a flaw in how Keystone processes policy enforcement—it blindly merges user-supplied JSON request data into the authorization check dictionary, overwriting the trusted database-sourced security context. This means an attacker can simply inject fake user IDs or project IDs into their API request to trick the system into granting them permissions they shouldn't have. The issue affects all versions before 29.0.2 and has existed since Rocky (14.0.0).

  • CVE-2026-43000MEDIUM 6.0

    An authenticated attacker with basic member-level permissions on an OpenStack Keystone project can escalate their privileges to administrator by chaining two Keystone features—application credentials and trusts—in an unintended way. The attack exploits a validation gap: when an impersonated token is created, Keystone checks the victim's stored admin role assignment in the database rather than validating against the actual permissions on the requesting token. This allows the attacker to create a trust that delegates the victim's admin privileges to themselves. The resulting admin access persists independently and can be maintained through additional credential chains, while all actions appear in audit logs under the victim's identity.

  • CVE-2026-44394MEDIUM 6.0

    OpenStack Keystone, the identity service underlying many cloud deployments, has a flaw in how it handles federated user logins through SAML2 or OpenID Connect. When a user rescopes a token (essentially asking for a new token with different permissions or projects), the system doesn't carry forward the original token's expiration time. Instead, it issues a fresh token with a standard lifetime. An attacker with valid federated credentials can exploit this by repeatedly rescoping their token just before it expires, effectively creating a token that never truly expires. This bypasses the organization's configured token lifetime policies, allowing indefinite access once initial compromise occurs.

  • CVE-2026-34507MEDIUM 5.4

    OpenClaw versions before 2026.4.29 contain a flaw that allows authenticated users to bypass security policies protecting sensitive admin commands. Specifically, attackers can circumvent message delivery restrictions (DM-only policy) and sender authorization checks (allowFrom policy), enabling them to execute administrative functions from contexts or senders that should be blocked. The vulnerability requires an attacker to already have authentication credentials, limiting its blast radius but creating insider risk and account compromise scenarios.

  • CVE-2026-42547MEDIUM 5.4

    IRIS, a web platform used by incident response teams to collaborate and share investigation details, contains an authorization flaw in versions before 2.4.28 that allows users to create alerts falsely attributed to customers they don't manage. When combined with cross-site scripting vulnerabilities, attackers can also steal alerts belonging to other customers. This means a low-privileged user could pollute another team's alert stream with fraudulent incidents or harvest sensitive investigation data.

  • CVE-2026-10616MEDIUM 4.3

    GoClaw, a component of nextlevelbuilder, contains a flaw in how it validates permissions when completing team tasks. An authenticated attacker can manipulate the Team Task Completion Handler to bypass authorization checks, potentially modifying task records they shouldn't have access to. The vulnerability requires a valid login and network access, and affects versions up to 3.11.3. While the issue carries a medium risk profile, the public availability of exploit details increases practical attack likelihood.

  • CVE-2026-32906MEDIUM 4.3

    OpenClaw versions prior to 2026.5.12 contain a privilege escalation flaw in their Slack plugin approval system. Users who hold limited exec approval permissions can manipulate the approval workflow to bypass intended authorization checks, allowing them to approve plugin actions that should require additional oversight or operator configuration. The vulnerability requires an authenticated user to exploit, reducing but not eliminating risk in environments with permissive access controls.

  • CVE-2026-40914MEDIUM 4.3

    Apache Artemis has a flaw in how it enforces permissions when users communicate via the STOMP protocol. A user with permission to send or receive messages on a particular address can trick the system into accepting messages with a message routing-type that the address doesn't normally support. This bypasses an important security boundary: only administrators with explicit createAddress permission should be able to change an address's routing-type capabilities. An attacker could exploit this to send or consume messages in ways that violate the intended security policy, even though their basic send/consume permissions are legitimate.