π CVE-2026-35660 - High (8.1)
OpenClaw before 2026.3.23 contains an insufficient access control vulnerability in the Gateway agent /reset endpoint that allows callers with operator.write permission to reset admin sessions. Attackers with operator.write privileges can invoke /r...
π https://www.thehackerwire.com/vulnerability/CVE-2026-35660/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
π CVE-2026-35668 - High (7.7)
OpenClaw before 2026.3.24 contains a path traversal vulnerability in sandbox enforcement allowing sandboxed agents to read arbitrary files from other agents' workspaces via unnormalized mediaUrl or fileUrl parameter keys. Attackers can exploit inc...
π https://www.thehackerwire.com/vulnerability/CVE-2026-35668/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
π CVE-2026-40158 - High (8.6)
PraisonAI is a multi-agent teams system. Prior to 4.5.128, PraisonAI's AST-based Python sandbox can be bypassed using type.__getattribute__ trampoline, allowing arbitrary code execution when running untrusted agent code. The _execute_code_direct f...
π https://www.thehackerwire.com/vulnerability/CVE-2026-40158/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
π CVE-2026-35666 - High (8.8)
OpenClaw before 2026.3.22 contains an allowlist bypass vulnerability in system.run approvals that fails to unwrap /usr/bin/time wrappers. Attackers can bypass executable binding restrictions by using an unregistered time wrapper to reuse approval ...
π https://www.thehackerwire.com/vulnerability/CVE-2026-35666/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
π CVE-2026-35663 - High (8.8)
OpenClaw before 2026.3.25 contains a privilege escalation vulnerability allowing non-admin operators to self-request broader scopes during backend reconnect. Attackers can bypass pairing requirements to reconnect as operator.admin, gaining unautho...
π https://www.thehackerwire.com/vulnerability/CVE-2026-35663/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
π CVE-2026-35668 - High (7.7)
OpenClaw before 2026.3.24 contains a path traversal vulnerability in sandbox enforcement allowing sandboxed agents to read arbitrary files from other agents' workspaces via unnormalized mediaUrl or fileUrl parameter keys. Attackers can exploit inc...
π https://www.thehackerwire.com/vulnerability/CVE-2026-35668/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
π CVE-2026-35669 - High (8.8)
OpenClaw before 2026.3.25 contains a privilege escalation vulnerability in gateway-authenticated plugin HTTP routes that incorrectly mint operator.admin runtime scope regardless of caller-granted scopes. Attackers can exploit this scope boundary b...
π https://www.thehackerwire.com/vulnerability/CVE-2026-35669/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
π CVE-2026-40158 - High (8.6)
PraisonAI is a multi-agent teams system. Prior to 4.5.128, PraisonAI's AST-based Python sandbox can be bypassed using type.__getattribute__ trampoline, allowing arbitrary code execution when running untrusted agent code. The _execute_code_direct f...
π https://www.thehackerwire.com/vulnerability/CVE-2026-40158/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
π CVE-2026-40156 - High (7.8)
PraisonAI is a multi-agent teams system. Prior to 4.5.128, PraisonAI automatically loads a file named tools.py from the current working directory to discover and register custom agent tools. This loading process uses importlib.util.spec_from_file_...
π https://www.thehackerwire.com/vulnerability/CVE-2026-40156/
#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
urlDNA.io 
TheHackerWire