Megamansec

**Name of the Vulnerable Software and Affected Versions** Vim versions prior to 9.2.0383 **Description** An OS command injection issue exists in the netrw standard plugin. An attacker can execute arbitrary shell commands with the privileges of the Vim process by inducing a user to open a crafted URL, specifically utilizing the 'sftp://' or 'file://' protocol handlers. **Recommendations** Update to version 9.2.0383.

**Name of the Vulnerable Software and Affected Versions** OpenClaw versions 2026.1.8 through 2026.2.13 **Description** The software contains a command injection issue in the `scripts/update-clawtributors.ts` script. This affects contributors or maintainers, and CI systems, who execute `bun scripts/update-clawtributors.ts` on a source checkout containing a malicious commit author email. The script extracts a GitHub login from `git log` author metadata and uses it in a shell command via `execSync`. A crafted commit record can inject shell metacharacters, leading to arbitrary command execution. Normal CLI usage, such as `npm i -g openclaw`, is not affected as the script is not part of the shipped CLI and is not executed during routine operation. **Recommendations** Versions 2026.1.8 through 2026.2.13 should be updated to version 2026.2.14 or later. As a temporary workaround, avoid running the `bun scripts/update-clawtributors.ts` script on source checkouts with untrusted commit history.

**Name of the Vulnerable Software and Affected Versions** OpenClaw versions 2026.1.14-1 through 2026.2.1 **Description** The software contains a flaw where direct message (DM) allowlist matching can be circumvented by precisely matching sender display names and localparts without homeserver verification. This allows remote Matrix users to impersonate permitted identities by utilizing attacker-controlled display names or matching localparts from different homeservers, potentially reaching the routing and agent pipeline. The issue arises because DM allowlist decisions are made by exact-matching entries against sender-derived candidates, including the sender display name and the sender MXID localpart without the homeserver component. If an operator configures Matrix allowlists with display names or bare localparts, a remote Matrix user may be able to impersonate an allowed identity. **Recommendations** Upgrade to OpenClaw version 2026.2.2 or later. Ensure Matrix allowlists contain only full Matrix user IDs (MXIDs) like `@user:server`. Do not use display names or bare localparts.

**Name of the Vulnerable Software and Affected Versions** OpenClaw versions prior to 2026.2.2 **Description** An authentication bypass exists in the optional `voice-call` extension when inbound allowlist policy validation is used. The system accepts empty caller IDs and uses suffix-based matching instead of strict equality. This allows remote attackers to bypass inbound access controls by placing calls with missing caller IDs or numbers ending with allowlisted digits, potentially reaching the voice-call agent and executing tools. The issue affects deployments that have the `voice-call` extension installed and enabled. The vulnerability is related to the inbound allowlist check in the `extensions/voice-call/src/manager.ts` file, which used suffix-based matching and accepted empty caller IDs after normalization. Specifically, missing or empty `from` values normalized to an empty string, causing the allowlist predicate to evaluate as allowed. Additionally, suffix-based matching meant any caller number whose digits ended with an allowlisted number would be accepted. The vulnerable component is the `voice-call` extension. **Recommendations** OpenClaw versions prior to 2026.2.2 should be updated to version 2026.2.2 or later.

**Name of the Vulnerable Software and Affected Versions** OpenClaw versions 2026.1.29 through 2026.2.0 **Description** The OpenClaw software, with the Twitch plugin installed and enabled, has an issue where access control is bypassed. Specifically, the `allowFrom` allowlist is not properly enforced when `allowedRoles` is not set or is empty. This allows unauthorized Twitch users to trigger agent dispatch by mentioning the bot in Twitch chat. The problematic logic resides in the `checkTwitchAccessControl()` function within the Twitch plugin (`extensions/twitch/src/access-control.ts`). When `allowFrom` is configured, the code does not return `allowed: false` for non-members, causing execution to continue. If `allowedRoles` is unset or empty, the function defaults to `allowed: true`, even when `allowFrom` is configured. This can lead to unintended actions, responses, and potential resource exhaustion for operators who relied on `allowFrom` to restrict bot invocation in Twitch chat. **Recommendations** OpenClaw versions 2026.1.29 through 2026.2.0 should be upgraded to version 2026.2.1 or later.

**Name of the Vulnerable Software and Affected Versions** OpenClaw versions prior to 2026.2.13 @openclaw/bluebubbles versions prior to 2026.2.13 **Description** The optional BlueBubbles iMessage channel plugin could accept webhook requests as authenticated based solely on the TCP peer address being loopback (`127.0.0.1`, `::1`, `::ffff:127.0.0.1`) even when the configured webhook secret was missing or incorrect. This does not affect the default iMessage integration unless BlueBubbles is installed and enabled. If a deployment exposes the BlueBubbles webhook endpoint through a same-host reverse proxy or an attacker can reach loopback via Server-Side Request Forgery (SSRF), an unauthenticated party may be able to inject inbound webhook events into the agent pipeline. **Recommendations** Versions prior to 2026.2.13 should be updated to version 2026.2.13 or later. Set a non-empty BlueBubbles webhook password. Avoid deployments where a public-facing reverse proxy forwards to a loopback-bound Gateway without strong upstream authentication.

**Name of the Vulnerable Software and Affected Versions** WeKan versions prior to 8.21 **Description** A security issue exists in WeKan related to missing authorization within the Rules Handler component. The problem resides in an unknown function of the file `server/publications/rules.js`. This can be exploited remotely. **Recommendations** Upgrade to version 8.21 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Wekan versions prior to 8.19 **Description** A flaw exists in Wekan that allows for improper authorization. This issue is related to the `setCreateTranslation` function within the `client/components/settings/translationBody.js` file of the Custom Translation Handler component. The attack can be initiated remotely. **Recommendations** Upgrade to version 8.19 or later. Upgrade the affected component.

**Name of the Vulnerable Software and Affected Versions** Wekan versions up to 8.20 **Description** A flaw exists in Wekan that could allow information disclosure. This issue impacts an unspecified part of the `server/publications/cards.js` file within the Meteor Publication Handler component. The attack can be initiated remotely. **Recommendations** Upgrade to version 8.21 to resolve this issue.

**Name of the Vulnerable Software and Affected Versions** WeKan versions prior to 8.21 **Description** A security flaw exists in WeKan up to version 8.20. The issue affects unknown code within the `server/methods/fixDuplicateLists.js` file of the Administrative Repair Handler component, leading to improper access controls. This allows for remote exploitation. **Recommendations** Upgrade to version 8.21 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** WeKan versions prior to 8.21 **Description** A weakness exists in WeKan related to the Activity Publication Handler component, specifically in the processing of the file `server/publications/activities.js`. A manipulation of this component can lead to information disclosure and can be launched remotely. **Recommendations** Upgrade to version 8.21 to address the issue.

**Name of the Vulnerable Software and Affected Versions** Wekan versions up to 8.20 **Description** A flaw exists in Wekan’s LDAP User Sync component, specifically within the `packages/wekan-ldap/server/syncUser.js` file. This issue results in improper access controls and allows for remote exploitation. The vulnerable component is the LDAP User Sync. **Recommendations** Upgrade to version 8.21 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** WeKan versions up to 8.20 **Description** A flaw exists in WeKan that relates to improper access controls within the Attachment Storage component. The issue is located in the file `models/attachments.js` and impacts an unknown function. This manipulation can be initiated remotely. Upgrading to version 8.21 resolves this issue. The patch is identified as `c413a7e860bc4d93fe2adcf82516228570bf382d`. **Recommendations** Upgrade to WeKan version 8.21. Upgrade the affected component.

**Name of the Vulnerable Software and Affected Versions** WeKan versions prior to 8.21 **Description** A flaw exists in WeKan up to version 8.20 related to improper access controls within the REST Endpoint component. The issue resides in an unknown function of the `models/boards.js` file. Remote exploitation is possible. **Recommendations** Upgrade to version 8.21 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** WeKan versions prior to 8.21 **Description** A flaw exists in WeKan related to missing authorization within the Position-History Tracking component, specifically in the file server/methods/positionHistory.js. This issue allows for remote manipulation, potentially leading to unauthorized access. **Recommendations** Upgrade to version 8.21 or later to resolve this issue.

**Name of the Vulnerable Software and Affected Versions** WeKan versions up to 8.20 **Description** A flaw exists in WeKan that relates to improper access controls. The issue is located in an unknown function within the `server/attachmentMigration.js` file of the Attachment Migration component. This issue can be exploited remotely. **Recommendations** Upgrade to version 8.21 to resolve this issue.

**Name of the Vulnerable Software and Affected Versions** WeKan versions up to 8.20 **Description** A flaw exists in WeKan, specifically within the Attachment Storage Handler component. The issue resides in the `applyWipLimit` function located in the `models/lists.js` file. Exploitation of this flaw can lead to improper access controls, and the attack can be executed remotely. **Recommendations** Upgrade to version 8.21 or later to address this issue.

**Name of the Vulnerable Software and Affected Versions** Wekan versions up to 8.20 **Description** A security issue has been identified in Wekan related to improper authorization. This occurs due to manipulation of the `item.cardId`, `item.checklistId`, or `card.boardId` arguments within the `setBoardOrgs` function located in the `models/boards.js` file of the REST API component. The attack can be launched remotely and is considered difficult to exploit due to its high complexity. **Recommendations** Upgrade to version 8.21 to resolve this issue.

**Name of the Vulnerable Software and Affected Versions** WeKan versions prior to 8.21 **Description** A flaw exists in WeKan that allows for improper access controls. This is due to the manipulation of the `boardId` argument within the `ComprehensiveBoardMigration` function located in the file server/migrations/comprehensiveBoardMigration.js of the Migration Operation Handler component. The issue is potentially exploitable remotely. **Recommendations** Upgrade to version 8.21 or later to address this issue.

**Name of the Vulnerable Software and Affected Versions** Wekan versions up to 8.20 **Description** A security issue exists in Wekan’s REST API component, specifically within the file `models/checklistItems.js`. Manipulation of the arguments `item.cardId`, `item.checklistId`, and `card.boardId` can lead to improper authorization. Remote exploitation is possible. **Recommendations** Upgrade to version 8.21.