Publish Advisories

GHSA-5f7h-p83x-5vc2
GHSA-88v5-9hxc-f85r
GHSA-h39g-6x3c-7fq9

Author: advisory-database[bot]

…-5f7h-p83x-5vc2/GHSA-5f7h-p83x-5vc2.json …-5f7h-p83x-5vc2/GHSA-5f7h-p83x-5vc2.jsonadvisories/unreviewed/2026/04/GHSA-5f7h-p83x-5vc2/GHSA-5f7h-p83x-5vc2.json renamed to advisories/github-reviewed/2026/04/GHSA-5f7h-p83x-5vc2/GHSA-5f7h-p83x-5vc2.json advisories/unreviewed/2026/04/GHSA-5f7h-p83x-5vc2/GHSA-5f7h-p83x-5vc2.json renamed to advisories/github-reviewed/2026/04/GHSA-5f7h-p83x-5vc2/GHSA-5f7h-p83x-5vc2.json

@@ -1,12 +1,12 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-5f7h-p83x-5vc2",
-  "modified": "2026-04-10T00:30:29Z",
+  "modified": "2026-04-18T00:55:40Z",
   "published": "2026-04-10T00:30:29Z",
-  "aliases": [
-    "CVE-2026-35624"
-  ],
-  "details": "OpenClaw before 2026.3.22 contains a policy confusion vulnerability in room authorization that matches colliding room names instead of stable room tokens. Attackers can exploit similarly named rooms to bypass allowlist policies and gain unauthorized access to protected Nextcloud Talk rooms.",
+  "withdrawn": "2026-04-18T00:55:40Z",
+  "aliases": [],
+  "summary": "Duplicate Advisory: OpenClaw: Nextcloud Talk room allowlist matched colliding room names instead of stable room tokens",
+  "details": "## Duplicate Advisory\n\nThis advisory has been withdrawn because it is a duplicate of GHSA-xhq5-45pm-2gjr. This link is maintained to preserve external references.\n\n## Original Description\nOpenClaw before 2026.3.22 contains a policy confusion vulnerability in room authorization that matches colliding room names instead of stable room tokens. Attackers can exploit similarly named rooms to bypass allowlist policies and gain unauthorized access to protected Nextcloud Talk rooms.",
   "severity": [
     {
       "type": "CVSS_V3",
@@ -17,7 +17,27 @@
       "score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
     }
   ],
-  "affected": [],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "openclaw"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "< 2026.3.22"
+      }
+    }
+  ],
   "references": [
     {
       "type": "WEB",
@@ -45,8 +65,8 @@
       "CWE-807"
     ],
     "severity": "LOW",
-    "github_reviewed": false,
-    "github_reviewed_at": null,
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-04-18T00:55:40Z",
     "nvd_published_at": "2026-04-09T22:16:30Z"
   }
 }

…-88v5-9hxc-f85r/GHSA-88v5-9hxc-f85r.json …-88v5-9hxc-f85r/GHSA-88v5-9hxc-f85r.jsonadvisories/unreviewed/2026/04/GHSA-88v5-9hxc-f85r/GHSA-88v5-9hxc-f85r.json renamed to advisories/github-reviewed/2026/04/GHSA-88v5-9hxc-f85r/GHSA-88v5-9hxc-f85r.json advisories/unreviewed/2026/04/GHSA-88v5-9hxc-f85r/GHSA-88v5-9hxc-f85r.json renamed to advisories/github-reviewed/2026/04/GHSA-88v5-9hxc-f85r/GHSA-88v5-9hxc-f85r.json

@@ -1,19 +1,40 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-88v5-9hxc-f85r",
-  "modified": "2026-04-17T06:31:08Z",
+  "modified": "2026-04-18T00:53:47Z",
   "published": "2026-04-17T06:31:08Z",
   "aliases": [
     "CVE-2026-5807"
   ],
+  "summary": "HashiCorp Vault Vulnerable to Denial-of-Service via Unauthenticated Root Token Generation/Rekey Operations",
   "details": "Vault is vulnerable to a denial-of-service condition where an unauthenticated attacker can repeatedly initiate or cancel root token generation or rekey operations, occupying the single in-progress operation slot. This prevents legitimate operators from completing these workflows. This vulnerability, CVE-2026-5807, is fixed in Vault Community Edition 2.0.0 and Vault Enterprise 2.0.0.",
   "severity": [
     {
       "type": "CVSS_V3",
       "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
     }
   ],
-  "affected": [],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Go",
+        "name": "github.com/hashicorp/vault"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "last_affected": "1.21.4"
+            }
+          ]
+        }
+      ]
+    }
+  ],
   "references": [
     {
       "type": "ADVISORY",
@@ -22,15 +43,19 @@
     {
       "type": "WEB",
       "url": "https://discuss.hashicorp.com/t/hcsec-2026-08-vault-vulnerable-to-denial-of-service-via-unauthenticated-root-token-generation-rekey-operations/77345"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/hashicorp/vault"
     }
   ],
   "database_specific": {
     "cwe_ids": [
       "CWE-770"
     ],
     "severity": "HIGH",
-    "github_reviewed": false,
-    "github_reviewed_at": null,
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-04-18T00:53:47Z",
     "nvd_published_at": "2026-04-17T05:16:19Z"
   }
 }

advisories/github-reviewed/2026/04/GHSA-h39g-6x3c-7fq9/GHSA-h39g-6x3c-7fq9.json

@@ -0,0 +1,67 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-h39g-6x3c-7fq9",
+  "modified": "2026-04-18T00:55:19Z",
+  "published": "2026-04-18T00:55:19Z",
+  "aliases": [],
+  "summary": "Zio has SubFileSystem Path Confinement Bypass via Unresolved `..` Segment",
+  "details": "# Summary\n\n`SubFileSystem` fails to confine operations to its declared sub path when the input path is `/../` (or equivalents `/../`, `/..\\\\`). This path passes all validation but resolves to the root of the parent filesystem, allowing directory level operations outside the intended boundary.\n\n# Affected Component\n\n`Zio.UPath.ValidateAndNormalize`\n`Zio.FileSystems.SubFileSystem`\n\n`UPath.ValidateAndNormalize` has a trailing slash optimisation.\n\n```csharp\nif (!processParts && i + 1 == path.Length)\n    return path.Substring(0, path.Length - 1);\n```\n\nWhen the input ends with `/` or `\\`, and `processParts` is still false, the function strips the trailing separator and returns immediately before the `..` resolution logic runs.  The input `/../` triggers this path: the trailing `/` is the last character, `processParts` has not been set (because `..` as the first relative segment after root is specifically exempted), so the function returns `/..` with the `..` segment unresolved.\n\nThe resulting `UPath` with `FullName = \"/..\"` is absolute, contains no control characters, and no colon so it passes `FileSystem.ValidatePath` without rejection.\n\nWhen this path reaches `SubFileSystem.ConvertPathToDelegate`:\n\n```csharp\nprotected override UPath ConvertPathToDelegate(UPath path)\n{\n    var safePath = path.ToRelative();     // \"/..\".ToRelative() = \"..\"\n    return SubPath / safePath;            // \"/jail\" / \"..\" = \"/\"  (resolved by Combine)\n}\n```\n\nThe delegate filesystem receives `/` (the root) instead of a path under `/jail`.\n\n# Proof of Concept\n\n```csharp\nusing Zio;\nusing Zio.FileSystems;\n\nvar root = new MemoryFileSystem();\nroot.CreateDirectory(\"/sandbox\");\nvar sub = new SubFileSystem(root, \"/sandbox\");\n\nConsole.WriteLine(sub.DirectoryExists(\"/../\"));           // True (sees parent root)\nConsole.WriteLine(sub.ConvertPathToInternal(\"/../\"));     // \"/\" (parent root path)\n```\n\n# Impact\n\nThe escape is limited to directory level operations because appending a filename after `..` (e.g., `/../file.txt`) causes normal `..` resolution to trigger, which correctly rejects the path as going above root.  Only the bare terminal `/../` (which strips to `/..`) survives.  This means that exploitability is limited, and this vulnerability does not escalate to file read/write.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "NuGet",
+        "name": "Zio"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "0.22.2"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "<= 0.22.1"
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/xoofx/zio/security/advisories/GHSA-h39g-6x3c-7fq9"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/xoofx/zio/commit/c8c2f5328e50c1e7ab8c5c405fe70e0bd35f4782"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/xoofx/zio"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/xoofx/zio/releases/tag/0.22.2"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-179",
+      "CWE-22"
+    ],
+    "severity": "LOW",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-04-18T00:55:19Z",
+    "nvd_published_at": null
+  }
+}