Skip to main content

CWE-372

Incomplete Internal State Distinction

7 CVEs Avg CVSS 7.0 MITRE
1
CRITICAL
1
HIGH
5
MEDIUM
0
LOW
0
POC
0
KEV

Monthly

CVE-2026-41388 npm MEDIUM PATCH This Month

OpenClaw before version 2026.3.31 allows remote attackers to bypass configuration revocation controls by restarting the application, which rehydrates revoked Tlon configuration settings from disk state due to improper handling of empty-array settings during startup migration. An attacker with network access and the ability to trigger application restarts can restore previously revoked authentication or authorization configurations without explicit re-enablement, potentially compromising intended security controls.

Authentication Bypass Openclaw
NVD GitHub
CVSS 4.0
6.3
EPSS
0.0%
CVE-2026-41340 npm MEDIUM PATCH This Month

OpenClaw before 2026.3.31 contains an authentication boundary vulnerability where Telegram legacy allowFrom migration incorrectly fans default-account trust into all named accounts. Attackers can exploit this trust propagation to bypass authentication controls and gain unauthorized access to named accounts.

Authentication Bypass Openclaw
NVD GitHub VulDB
CVSS 4.0
6.3
EPSS
0.1%
CVE-2026-41300 npm MEDIUM PATCH This Month

OpenClaw before version 2026.3.31 fails to properly invalidate attacker-discovered endpoints during trust decline operations in remote onboarding workflows, allowing attackers to route gateway credentials to malicious endpoints by preserving their URLs through the trust decline process into manual operator acceptance prompts. The vulnerability requires user interaction (UI:A) but affects gateway credential confidentiality (VC:H), posing a significant risk to organizations using OpenClaw's remote onboarding feature with CVSS 6.9 (medium-high severity).

Information Disclosure Openclaw
NVD GitHub VulDB
CVSS 4.0
6.9
EPSS
0.0%
CVE-2024-22590 CRITICAL Act Now

The TLS engine in Kwik commit 745fd4e2 does not track the current state of the connection. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure
NVD GitHub
CVSS 3.1
9.1
EPSS
0.6%
CVE-2023-4012 HIGH This Week

ntpd will crash if the server is not NTS-enabled (no certificate) and it receives an NTS-enabled client request (mode 3). Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Ntpsec
NVD
CVSS 3.1
7.5
EPSS
0.4%
CVE-2023-36834 MEDIUM This Month

An Incomplete Internal State Distinction vulnerability in the packet forwarding engine (PFE) of Juniper Networks Junos OS on SRX 4600 and SRX 5000 Series allows an adjacent attacker to cause a Denial. Rated medium severity (CVSS 6.5), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Juniper Denial Of Service Junos
NVD
CVSS 3.1
6.5
EPSS
0.3%
CVE-2021-25735 Go MEDIUM PATCH This Month

A security issue was discovered in kube-apiserver that could allow node updates to bypass a Validating Admission Webhook. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity.

Authentication Bypass Kubernetes
NVD GitHub
CVSS 3.1
6.5
EPSS
5.5%
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

OpenClaw before version 2026.3.31 allows remote attackers to bypass configuration revocation controls by restarting the application, which rehydrates revoked Tlon configuration settings from disk state due to improper handling of empty-array settings during startup migration. An attacker with network access and the ability to trigger application restarts can restore previously revoked authentication or authorization configurations without explicit re-enablement, potentially compromising intended security controls.

Authentication Bypass Openclaw
NVD GitHub
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

OpenClaw before 2026.3.31 contains an authentication boundary vulnerability where Telegram legacy allowFrom migration incorrectly fans default-account trust into all named accounts. Attackers can exploit this trust propagation to bypass authentication controls and gain unauthorized access to named accounts.

Authentication Bypass Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

OpenClaw before version 2026.3.31 fails to properly invalidate attacker-discovered endpoints during trust decline operations in remote onboarding workflows, allowing attackers to route gateway credentials to malicious endpoints by preserving their URLs through the trust decline process into manual operator acceptance prompts. The vulnerability requires user interaction (UI:A) but affects gateway credential confidentiality (VC:H), posing a significant risk to organizations using OpenClaw's remote onboarding feature with CVSS 6.9 (medium-high severity).

Information Disclosure Openclaw
NVD GitHub VulDB
EPSS 1% CVSS 9.1
CRITICAL Act Now

The TLS engine in Kwik commit 745fd4e2 does not track the current state of the connection. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure
NVD GitHub
EPSS 0% CVSS 7.5
HIGH This Week

ntpd will crash if the server is not NTS-enabled (no certificate) and it receives an NTS-enabled client request (mode 3). Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Ntpsec
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

An Incomplete Internal State Distinction vulnerability in the packet forwarding engine (PFE) of Juniper Networks Junos OS on SRX 4600 and SRX 5000 Series allows an adjacent attacker to cause a Denial. Rated medium severity (CVSS 6.5), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Juniper Denial Of Service Junos
NVD
EPSS 6% CVSS 6.5
MEDIUM PATCH This Month

A security issue was discovered in kube-apiserver that could allow node updates to bypass a Validating Admission Webhook. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity.

Authentication Bypass Kubernetes
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy