Publish Advisories

GHSA-5326-6f73-m96w
GHSA-866c-wwm5-4rj7
GHSA-h29g-q5c2-9h4f
GHSA-866c-wwm5-4rj7

Author: advisory-database[bot]

…-5326-6f73-m96w/GHSA-5326-6f73-m96w.json …-5326-6f73-m96w/GHSA-5326-6f73-m96w.jsonadvisories/unreviewed/2026/03/GHSA-5326-6f73-m96w/GHSA-5326-6f73-m96w.json renamed to advisories/github-reviewed/2026/03/GHSA-5326-6f73-m96w/GHSA-5326-6f73-m96w.json advisories/unreviewed/2026/03/GHSA-5326-6f73-m96w/GHSA-5326-6f73-m96w.json renamed to advisories/github-reviewed/2026/03/GHSA-5326-6f73-m96w/GHSA-5326-6f73-m96w.json

@@ -1,12 +1,12 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-5326-6f73-m96w",
-  "modified": "2026-03-19T03:30:57Z",
+  "modified": "2026-03-19T18:21:39Z",
   "published": "2026-03-19T03:30:57Z",
-  "aliases": [
-    "CVE-2026-31993"
-  ],
-  "details": "OpenClaw versions prior to 2026.2.22 contain an allowlist parsing mismatch vulnerability in the macOS companion app that allows authenticated operators to bypass exec approval checks. Attackers with operator.write privileges and a paired macOS beta node can craft shell-chain payloads that pass incomplete allowlist validation and execute arbitrary commands on the paired host.",
+  "withdrawn": "2026-03-19T18:21:39Z",
+  "aliases": [],
+  "summary": "Duplicate Advisory: OpenClaw macOS companion app (beta): allowlist parsing mismatch for system.run shell chains",
+  "details": "## Duplicate Advisory\n\nThis advisory has been withdrawn because it is a duplicate of GHSA-5f9p-f3w2-fwch. This link is maintained to preserve external references.\n\n## Original Description\nOpenClaw versions prior to 2026.2.22 contain an allowlist parsing mismatch vulnerability in the macOS companion app that allows authenticated operators to bypass exec approval checks. Attackers with operator.write privileges and a paired macOS beta node can craft shell-chain payloads that pass incomplete allowlist validation and execute arbitrary commands on the paired host.",
   "severity": [
     {
       "type": "CVSS_V3",
@@ -17,7 +17,27 @@
       "score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:A/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
     }
   ],
-  "affected": [],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "openclaw"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "< 2026.2.22"
+      }
+    }
+  ],
   "references": [
     {
       "type": "WEB",
@@ -45,8 +65,8 @@
       "CWE-184"
     ],
     "severity": "MODERATE",
-    "github_reviewed": false,
-    "github_reviewed_at": null,
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-03-19T18:21:39Z",
     "nvd_published_at": "2026-03-19T02:16:04Z"
   }
 }

advisories/github-reviewed/2026/03/GHSA-866c-wwm5-4rj7/GHSA-866c-wwm5-4rj7.json

@@ -0,0 +1,68 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-866c-wwm5-4rj7",
+  "modified": "2026-03-19T18:21:59Z",
+  "published": "2026-03-19T03:30:57Z",
+  "withdrawn": "2026-03-19T18:21:59Z",
+  "aliases": [],
+  "summary": "Duplicate Advisory: OpenClaw's Nextcloud Talk webhook replay could trigger duplicate inbound processing",
+  "details": "## Duplicate Advisory\n\nThis advisory has been withdrawn because it is a duplicate of GHSA-r9q5-c7qc-p26w. This link is maintained to preserve external references.\n\n## Original Description\nOpenClaw versions prior to 2026.2.25 lack durable replay state for Nextcloud Talk webhook events, allowing valid signed webhook requests to be replayed without suppression. Attackers can capture and replay previously valid signed webhook requests to trigger duplicate inbound message processing and cause integrity or availability issues.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "openclaw"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "last_affected": "2026.2.24"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-r9q5-c7qc-p26w"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28449"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/openclaw/openclaw/commit/d512163d686ad6741783e7119ddb3437f493dbbc"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.vulncheck.com/advisories/openclaw-webhook-replay-attack-via-missing-durable-replay-suppression"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-294"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-03-19T18:21:59Z",
+    "nvd_published_at": "2026-03-19T02:16:02Z"
+  }
+}

advisories/github-reviewed/2026/03/GHSA-h29g-q5c2-9h4f/GHSA-h29g-q5c2-9h4f.json

@@ -0,0 +1,84 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-h29g-q5c2-9h4f",
+  "modified": "2026-03-19T18:21:18Z",
+  "published": "2026-03-19T18:21:18Z",
+  "aliases": [
+    "CVE-2026-33323"
+  ],
+  "summary": "Parse Server email verification resend page leaks user existence",
+  "details": "### Impact\n\nThe Pages route and legacy PublicAPI route for resending email verification links return distinguishable responses depending on whether the provided username exists and has an unverified email. This allows an unauthenticated attacker to enumerate valid usernames by observing different redirect targets. The existing `emailVerifySuccessOnInvalidEmail` configuration option, which is enabled by default and protects the API route against this, did not apply to these routes.\n\n### Patches\n\nThe email verification resend routes now respect the `emailVerifySuccessOnInvalidEmail` option. When set to `true` (the default), both routes redirect to the success page regardless of the outcome, preventing user enumeration.\n\n### Workarounds\n\nThere is no known workaround to prevent the information disclosure other than upgrading.",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "parse-server"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "9.0.0"
+            },
+            {
+              "fixed": "9.6.0-alpha.40"
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "parse-server"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "8.6.51"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-h29g-q5c2-9h4f"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/parse-community/parse-server/pull/10238"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/parse-community/parse-server/pull/10243"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/parse-community/parse-server"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-204"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-03-19T18:21:18Z",
+    "nvd_published_at": null
+  }
+}