Publish Advisories

advisory-database[bot] · advisory-database[bot] · commit 6549243c1d3f · 2026-03-05T21:42:46.000Z
GHSA-qj77-c3c8-9c3q GHSA-v773-r54f-q32w GHSA-73hc-m4hx-79pj GHSA-7xhj-55q9-pc3m GHSA-wjpw-4j6x-6rwh
diff --git a/advisories/github-reviewed/2026/02/GHSA-qj77-c3c8-9c3q/GHSA-qj77-c3c8-9c3q.json b/advisories/github-reviewed/2026/02/GHSA-qj77-c3c8-9c3q/GHSA-qj77-c3c8-9c3q.json
@@ -1,9 +1,11 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-qj77-c3c8-9c3q",
-  "modified": "2026-02-17T16:44:11Z",
+  "modified": "2026-03-05T21:40:42Z",
   "published": "2026-02-17T16:44:11Z",
-  "aliases": [],
+  "aliases": [
+    "CVE-2026-28391"
+  ],
   "summary": "OpenClaw's Windows cmd.exe parsing may bypass exec allowlist/approval gating",
   "details": "### Summary\n\nOn Windows nodes, exec requests were executed via `cmd.exe /d /s /c <rawCommand>`. In allowlist/approval-gated mode, the allowlist analysis did not model Windows `cmd.exe` parsing and metacharacter behavior. A crafted command string could cause `cmd.exe` to interpret additional operations (for example command chaining via `&`, or expansion via `%...%` / `!...!`) beyond what was allowlisted/approved.\n\n### Affected Packages / Versions\n\n- Package: `openclaw` (npm)\n- Affected: `<= 2026.2.1`\n- Patched: `>= 2026.2.2`\n- Latest (npm) as of 2026-02-14: `2026.2.13`\n\n### Details\n\n- Default installs: Not affected unless you opt into exec allowlist/approval gating on Windows nodes.\n- Windows execution uses `cmd.exe` via `src/infra/node-shell.ts`.\n- The fix hardens Windows allowlist enforcement by:\n  - Passing the platform into allowlist analysis and rejecting Windows shell metacharacters.\n  - Treating `cmd.exe` invocation as not allowlist-safe on Windows.\n  - Avoiding `cmd.exe` entirely in allowlist mode by executing the parsed argv directly when possible.\n\n### Fix Commit(s)\n\n- `a7f4a53ce80c98ba1452eb90802d447fca9bf3d6`\n\nThanks @simecek for reporting.",
   "severity": [
diff --git a/advisories/github-reviewed/2026/02/GHSA-v773-r54f-q32w/GHSA-v773-r54f-q32w.json b/advisories/github-reviewed/2026/02/GHSA-v773-r54f-q32w/GHSA-v773-r54f-q32w.json
@@ -1,9 +1,11 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-v773-r54f-q32w",
-  "modified": "2026-02-18T00:51:03Z",
+  "modified": "2026-03-05T21:41:05Z",
   "published": "2026-02-18T00:51:03Z",
-  "aliases": [],
+  "aliases": [
+    "CVE-2026-28392"
+  ],
   "summary": "OpenClaw Slack: dmPolicy=open allowed any DM sender to run privileged slash commands",
   "details": "## Summary\n\nWhen Slack DMs are configured with `dmPolicy=open`, the Slack slash-command handler incorrectly treated any DM sender as command-authorized. This allowed any Slack user who could DM the bot to execute privileged slash commands via DM, bypassing intended allowlist/access-group restrictions.\n\n## Affected Packages / Versions\n\n- Package: `openclaw` (npm)\n- Affected versions: `<= 2026.2.13`\n- Affected configuration: Slack DMs enabled with `channels.slack.dm.policy: open` (aka `dmPolicy=open`)\n\n## Impact\n\nAny Slack user in the workspace who can DM the bot could invoke privileged slash commands via DM.\n\n## Fix\n\nThe slash-command path now computes `CommandAuthorized` for DMs using the same allowlist/access-group gating logic as other inbound paths.\n\nFix commit(s):\n- f19eabee54c49e9a2e264b4965edf28a2f92e657\n\n## Release Process Note\n\n`patched_versions` is set to the planned next release (`2026.2.14`). Once that npm release is published, this advisory should be published.\n\nThanks @christos-eth for reporting.",
   "severity": [
diff --git a/advisories/github-reviewed/2026/03/GHSA-73hc-m4hx-79pj/GHSA-73hc-m4hx-79pj.json b/advisories/github-reviewed/2026/03/GHSA-73hc-m4hx-79pj/GHSA-73hc-m4hx-79pj.json
@@ -0,0 +1,61 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-73hc-m4hx-79pj",
+  "modified": "2026-03-05T21:42:10Z",
+  "published": "2026-03-05T21:42:10Z",
+  "aliases": [
+    "CVE-2026-29787"
+  ],
+  "summary": "mcp-memory-service Vulnerable to System Information Disclosure via Health Endpoint",
+  "details": "### Summary\nThe `/api/health/detailed` endpoint returns detailed system information including OS version, Python version, CPU count, memory totals, disk usage, and the full database filesystem path. When `MCP_ALLOW_ANONYMOUS_ACCESS=true` is set (required for the HTTP server to function without OAuth/API key), this endpoint is accessible without authentication. Combined with the default `0.0.0.0` binding, this exposes sensitive reconnaissance data to the entire network.\n\n### Details\n### Vulnerable Code\n\n**`health.py:90-101` - System information collection**\n\n```python\nsystem_info = {\n    \"platform\": platform.system(),              # e.g., \"Linux\", \"Darwin\"\n    \"platform_version\": platform.version(),     # Full OS kernel version string\n    \"python_version\": platform.python_version(),# e.g., \"3.12.1\"\n    \"cpu_count\": psutil.cpu_count(),            # CPU core count\n    \"memory_total_gb\": round(memory_info.total / (1024**3), 2),\n    \"memory_available_gb\": round(memory_info.available / (1024**3), 2),\n    \"memory_percent\": memory_info.percent,\n    \"disk_total_gb\": round(disk_info.total / (1024**3), 2),\n    \"disk_free_gb\": round(disk_info.free / (1024**3), 2),\n    \"disk_percent\": round((disk_info.used / disk_info.total) * 100, 2)\n}\n```\n\n**`health.py:131-132` - Database path disclosure**\n\n```python\nif hasattr(storage, 'db_path'):\n    storage_info[\"database_path\"] = storage.db_path  # Full filesystem path\n```\n\n### Authentication Bypass Path\n\nThe `/api/health/detailed` endpoint uses `require_read_access` which calls `get_current_user`. When `MCP_ALLOW_ANONYMOUS_ACCESS=true`, the auth middleware grants access:\n\n```python\n# middleware.py:372-379\nif ALLOW_ANONYMOUS_ACCESS:\n    logger.debug(\"Anonymous access explicitly enabled, granting read-only access\")\n    return AuthenticationResult(\n        authenticated=True,\n        client_id=\"anonymous\",\n        scope=\"read\",\n        auth_method=\"none\"\n    )\n```\n\n**Note**: The basic `/health` endpoint (line 68) has **no auth dependency at all** and returns version and uptime information unconditionally.\n\n### Information Exposed\n\n| Field | Example Value | Reconnaissance Value |\n|-------|--------------|---------------------|\n| `platform` | `\"Linux\"` | OS fingerprinting |\n| `platform_version` | `\"#1 SMP PREEMPT_DYNAMIC...\"` | Kernel version → CVE targeting |\n| `python_version` | `\"3.12.1\"` | Python CVE targeting |\n| `cpu_count` | `8` | Resource enumeration |\n| `memory_total_gb` | `32.0` | Infrastructure profiling |\n| `database_path` | `\"/home/user/.mcp-memory/memories.db\"` | Username + file path disclosure |\n| `database_size_mb` | `45.2` | Data volume estimation |\n\n### Attack Scenario\n\n1. Attacker scans the local network for services on port 8000\n2. Finds mcp-memory-service with HTTP enabled and anonymous access\n3. Calls `GET /api/health/detailed`  (no credentials needed)\n4. Receives OS version, Python version, full database path (revealing username), system resources\n5. Uses this information to:\n   - Target known CVEs for the specific OS/Python version\n   - Identify the database file location for potential direct access\n   - Profile the system for further attacks\n \n### PoC\n\n```python\n# Show the system info that would be exposed\nimport platform, psutil\n\nsystem_info = {\n    \"platform\": platform.system(),\n    \"platform_version\": platform.version(),\n    \"python_version\": platform.python_version(),\n    \"cpu_count\": psutil.cpu_count(),\n    \"memory_total_gb\": round(psutil.virtual_memory().total / (1024**3), 2),\n}\nprint(system_info)  # All of this is returned to unauthenticated users\n```\n\n### Impact\n- **OS fingerprinting**: Exact OS and kernel version enables targeted exploit selection\n- **Path disclosure**: Database path reveals username, home directory structure, and file locations\n- **Resource enumeration**: CPU, memory, and disk info reveal infrastructure scale\n- **Reconnaissance enablement**: Combined information significantly reduces attacker effort for follow-up attacks\n\n## Remediation\n\n1. **Remove system details from default health endpoint** - return only `status`, `version`, `uptime`:\n\n```python\n@router.get(\"/health/detailed\")\nasync def detailed_health_check(\n    storage: MemoryStorage = Depends(get_storage),\n    user: AuthenticationResult = Depends(require_write_access)  # Require admin/write access\n):\n    # Only return storage stats, not system info\n    ...\n```\n\n2. **Do not expose `database_path`** - this leaks the filesystem structure:\n\n```python\n# Remove or redact\n# storage_info[\"database_path\"] = storage.db_path  # REMOVE THIS\n```\n\n3. **Add auth to basic `/health`** or limit it to status-only (no version):\n\n```python\n@router.get(\"/health\")\nasync def health_check():\n    return {\"status\": \"healthy\"}  # No version, no uptime\n```\nAlternatively, **Bind to `127.0.0.1` by default** instead of `0.0.0.0`, preventing network-based reconnaissance entirely:\n\n```python\n# In config.py — change default from '0.0.0.0' to '127.0.0.1'\nHTTP_HOST = os.getenv('MCP_HTTP_HOST', '127.0.0.1')\n```\n\nUsers who need network access can explicitly set `MCP_HTTP_HOST=0.0.0.0`, making the exposure a conscious opt-in rather than a default.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "PyPI",
+        "name": "mcp-memory-service"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "10.21.0"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/doobidoo/mcp-memory-service/security/advisories/GHSA-73hc-m4hx-79pj"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/doobidoo/mcp-memory-service/commit/18f4323ca92763196aa2922f691dfbeb6bd84e48"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/doobidoo/mcp-memory-service"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-200"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-03-05T21:42:10Z",
+    "nvd_published_at": null
+  }
+}
diff --git a/advisories/github-reviewed/2026/03/GHSA-7xhj-55q9-pc3m/GHSA-7xhj-55q9-pc3m.json b/advisories/github-reviewed/2026/03/GHSA-7xhj-55q9-pc3m/GHSA-7xhj-55q9-pc3m.json
@@ -1,9 +1,11 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-7xhj-55q9-pc3m",
-  "modified": "2026-03-03T18:09:54Z",
+  "modified": "2026-03-05T21:41:31Z",
   "published": "2026-03-03T18:09:54Z",
-  "aliases": [],
+  "aliases": [
+    "CVE-2026-28393"
+  ],
   "summary": "OpenClaw's hook transform module path allows traversal and arbitrary JavaScript module loading",
   "details": "## Summary\n\nOpenClaw hook mapping transforms could be loaded via absolute paths or `..` traversal, allowing arbitrary JavaScript module loading/execution in the gateway process when an attacker can modify hooks configuration.\n\n## Affected Versions\n\n- Affected: >= 2.0.0-beta3 and <= 2026.2.13\n- Fixed: 2026.2.14\n\n## Details\n\n`hooks.mappings[].transform.module` is dynamically imported and executed during webhook processing. Path resolution previously accepted absolute paths and did not enforce containment for relative paths, so a config-controlled transform could resolve outside the intended transforms directory.\n\n## Impact\n\nIf an attacker can write the OpenClaw config (or otherwise update hooks config through authenticated configuration mechanisms), they could point a hook mapping transform at an arbitrary module on disk and execute code with the gateway process privileges.\n\n## Reproduction (config-controlled module load)\n\n1. Configure a hook mapping that points to a transform path that escapes the transforms directory (for example via `..` traversal).\n2. Place a malicious ESM module at the resolved location that executes arbitrary code in the gateway process.\n3. Trigger the hook endpoint with the correct hook token.\n\n## Fix\n\nTransform loading is now constrained to the OpenClaw transforms root directory:\n\n- Root: `~/.openclaw/hooks/transforms`\n- `hooks.transformsDir` must be within that directory\n- `transform.module` must be within the selected transforms directory\n\nAttempts to escape the root (absolute paths outside, `..` traversal) are rejected.\n\nFix commit(s):\n\n- a0361b8ba959e8506dc79d638b6e6a00d12887e4\n- 18e8bd68c5015a894f999c6d5e6e32468965bfb5\n\n## Credits\n\nOpenClaw thanks @akhmittra for reporting.",
   "severity": [
diff --git a/advisories/github-reviewed/2026/03/GHSA-wjpw-4j6x-6rwh/GHSA-wjpw-4j6x-6rwh.json b/advisories/github-reviewed/2026/03/GHSA-wjpw-4j6x-6rwh/GHSA-wjpw-4j6x-6rwh.json
@@ -0,0 +1,159 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-wjpw-4j6x-6rwh",
+  "modified": "2026-03-05T21:41:25Z",
+  "published": "2026-03-05T21:41:25Z",
+  "aliases": [
+    "CVE-2025-11143"
+  ],
+  "summary": "org.eclipse.jetty:jetty-http has different parsing of invalid URIs",
+  "details": "The Jetty URI parser has some key differences compared to other common parsers when evaluating invalid or unusual URIs. Specifically:\n\n#### Invalid Scheme\n| URI | Jetty | uri-js (nodejs) | node-url(nodejs) |\n|---|---|---| --- |\n| `https>://vulndetector.com/path` | scheme=`http>`| scheme=`https` | invalid URI |\n\n#### Improper IPv4 mapped IPv6\n\n| URI | Jetty | System.Uri(CSharp) | curl(C) |\n|---|---|---| --- |\n| `http://[0:0:0:0:0:ffff:127.0.0.1]` | invalid | host=`[::ffff:127.0.0.1]` | host=`[::ffff:127.0.0.1]` | \n| `http://[::ffff:255.255.0.0]` | invalid | host=`[::ffff:255.255.0.0]` | host=`[::ffff:255.255.0.0]` | \n\n#### Incorrect IPv6 delimeter priority\n\n| URI | Jetty | urllib3(python) | furl(python) | Spring | chromium |\n|---|---|---| --- |---|---|\n| `http://[normal.com@]vulndetector.com/` | host=`[normal.com@]` | invalid | invalid | | |\n| `http://normal.com[user@vulndetector].com/`  | host=`[noirmal.com@vulndetector | | | host=`normal.com` | invalid |\n| `http://normal.com[@]vulndetector.com/`  | host=`normal.com[@] | | | host=`normal.com` | invalid |\n\n#### Incorrect delimeter priority\n\n| URI | Jetty | urllib3(python) | jersey |\n|---|---|---| --- |\n| `http://normal.com/#@vulndetector.com` | host=`vulndetector.com` | host=`normal.com` | host=`normal.com` |\n| `http://normal.com/?@vulndetector.com` | host=`vulndetector.com` | host=`normal.com` | host=`normal.com` |\n\n\n### Impact\nDifferential parsing of URIs in systems using multiple components may result in security by-pass. For example a component that enforces a black list may interpret the URIs differently from one that generates a response.\nAt the very least, differential parsing may divulge implementation details. \n\n### Patches\nPatched in Supported Open Source versions.\n* 12.1.5 - Supported and available on Maven Central\n* 12.0.31 - Supported and available on Maven Central\n* 11.0.x  - EOL Release, patches available on [tuxcare](https://tuxcare.com/) and [herodevs](https://www.herodevs.com/)\n* 10.0.x  - EOL Release, patches available on [tuxcare](https://tuxcare.com/) and [herodevs](https://www.herodevs.com/)\n* 9.4.x - EOL Release, patches available on [tuxcare](https://tuxcare.com/) and [herodevs](https://www.herodevs.com/)\n\n### Workarounds\nNone\n\n### Resources\n\n + [Java Eclipse Jetty Report_ Incorrect Parsing Priority of the IPv6 Hostname Delimeter.pdf](https://github.com/user-attachments/files/22222625/Java.Eclipse.Jetty.Report_.Incorrect.Parsing.Priority.of.the.IPv6.Hostname.Delimeter.pdf)\n + [Java Eclipse Jetty Report_ The Parsing Priority of the Delimiter.pdf](https://github.com/user-attachments/files/22222626/Java.Eclipse.Jetty.Report_.The.Parsing.Priority.of.the.Delimiter.pdf)\n + [Java Eclipse Jetty Report_ Parsing Difference Due to Deformed Scheme.pdf](https://github.com/user-attachments/files/22222627/Java.Eclipse.Jetty.Report_.Parsing.Difference.Due.to.Deformed.Scheme.pdf)\n + [Java Eclipse Jetty Report_ Improper IPv4-mapped IPv6 Parsing.pdf](https://github.com/user-attachments/files/22222630/Java.Eclipse.Jetty.Report_.Improper.IPv4-mapped.IPv6.Parsing.pdf)",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Maven",
+        "name": "org.eclipse.jetty:jetty-http"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "9.4.0"
+            },
+            {
+              "last_affected": "9.4.58"
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "package": {
+        "ecosystem": "Maven",
+        "name": "org.eclipse.jetty:jetty-http"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "10.0.0"
+            },
+            {
+              "last_affected": "10.0.26"
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "package": {
+        "ecosystem": "Maven",
+        "name": "org.eclipse.jetty:jetty-http"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "11.0.0"
+            },
+            {
+              "last_affected": "11.0.26"
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "package": {
+        "ecosystem": "Maven",
+        "name": "org.eclipse.jetty:jetty-http"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "12.0.0"
+            },
+            {
+              "fixed": "12.0.31"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "<= 12.0.30"
+      }
+    },
+    {
+      "package": {
+        "ecosystem": "Maven",
+        "name": "org.eclipse.jetty:jetty-http"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "12.1.0"
+            },
+            {
+              "fixed": "12.1.5"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "<= 12.1.4"
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/jetty/jetty.project/security/advisories/GHSA-wjpw-4j6x-6rwh"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-11143"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/jetty/jetty.project"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/user-attachments/files/22222625/Java.Eclipse.Jetty.Report_.Incorrect.Parsing.Priority.of.the.IPv6.Hostname.Delimeter.pdf"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/user-attachments/files/22222626/Java.Eclipse.Jetty.Report_.The.Parsing.Priority.of.the.Delimiter.pdf"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/user-attachments/files/22222627/Java.Eclipse.Jetty.Report_.Parsing.Difference.Due.to.Deformed.Scheme.pdf"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/user-attachments/files/22222630/Java.Eclipse.Jetty.Report_.Improper.IPv4-mapped.IPv6.Parsing.pdf"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-20"
+    ],
+    "severity": "LOW",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-03-05T21:41:25Z",
+    "nvd_published_at": "2026-03-05T10:15:54Z"
+  }
+}
