Monthly
Expired access tokens in Kibana remain exploitable due to a logic error in expiration timestamp validation (CWE-672), allowing an unauthenticated actor who possesses an expired token to retrieve content it was originally scoped to access. The flaw affects all tracked Kibana versions per the NVD CPE wildcard, and Elastic has issued a security advisory (ESA-2026-33) with patch versions. No public exploit code exists and this vulnerability is not listed in the CISA KEV catalog at time of analysis. The CVSS 5.3 Medium score reflects constrained confidentiality impact with no integrity or availability consequence.
Authenticated users in Mattermost 11.5.x through 11.5.1 and 10.11.x through 10.11.13 can modify post attachments, properties, and pin status beyond the configured edit time window. The vulnerability bypasses the PostEditTimeLimit control via patch and update API endpoints, allowing indefinite modification of non-message post metadata after the intended edit window expires. CVSS 3.1 (Low) reflects network vector with high complexity and low-privilege requirements, while no public exploit or CISA KEV listing exists at time of analysis.
OpenClaw before 2026.4.23 fails to invalidate cached webhook route secrets after rotation, allowing attackers with previously valid secrets to continue authenticating webhook requests and invoking task flows until gateway restart. The vulnerability affects SecretRef-backed webhook authentication where the resolved secret is cached at startup rather than re-resolved per request, weakening credential rotation effectiveness. Vendor-released patch available in version 2026.4.23.
Bearer token revocation bypass in OpenClaw gateway allows attackers to authenticate using rotated-out tokens until process restart. OpenClaw gateway HTTP and WebSocket handlers captured bearer authentication configuration at startup, failing to re-resolve credentials after SecretRef rotation. Attackers possessing a previously valid token can maintain unauthorized gateway access to /v1/* endpoints, /tools/invoke, plugin routes, and canvas upgrade paths even after operators rotate secrets, believing the old token is revoked. Fixed in version 2026.4.15. CVSS 9.2 reflects network-accessible attack with high complexity; no public exploit identified at time of analysis.
Mattermost 10.11.x through 10.11.10 fails to clear cached permalink preview data when a user's channel access is revoked, allowing authenticated users to view private channel content through previously cached previews until the cache expires or they re-login. An authenticated attacker who previously had access to a private channel can exploit this to maintain visibility into sensitive channel communications after access removal. A patch is not currently available for this medium-severity vulnerability.
Parse Server's TOTP-based multi-factor authentication fails to invalidate recovery codes after use, allowing an attacker with a single recovery code to authenticate repeatedly as an affected user. This vulnerability impacts Parse Server deployments prior to versions 9.6.0-alpha.7 and 8.6.33, where recovery codes intended as single-use fallback mechanisms can be exploited indefinitely to bypass MFA protections. No patch is currently available for affected versions.
In Plex Media Server (PMS) through 1.42.2.10156, ability to access /myplex/account with a device token is not properly aligned with whether the device is currently associated with an account. [CVSS 7.1 HIGH]
MongoDB Server may allow upsert operations retried within a transaction to violate unique index constraints, potentially causing an invariant failure and server crash during commit. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Critical SSL pinning bypass vulnerability in the deprecated Amazon Cloud Cam that allows unauthenticated attackers on the same network to intercept and modify device traffic by associating the camera to an arbitrary network during its default pairing state. The vulnerability affects all Amazon Cloud Cam units, which reached end-of-life on December 2, 2022, and are no longer receiving security updates. An attacker can exploit this to eavesdrop on video streams, modify device configuration, or potentially gain unauthorized access to associated AWS infrastructure.
This issue was addressed through improved state management. Rated high severity (CVSS 7.1), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
Expired access tokens in Kibana remain exploitable due to a logic error in expiration timestamp validation (CWE-672), allowing an unauthenticated actor who possesses an expired token to retrieve content it was originally scoped to access. The flaw affects all tracked Kibana versions per the NVD CPE wildcard, and Elastic has issued a security advisory (ESA-2026-33) with patch versions. No public exploit code exists and this vulnerability is not listed in the CISA KEV catalog at time of analysis. The CVSS 5.3 Medium score reflects constrained confidentiality impact with no integrity or availability consequence.
Authenticated users in Mattermost 11.5.x through 11.5.1 and 10.11.x through 10.11.13 can modify post attachments, properties, and pin status beyond the configured edit time window. The vulnerability bypasses the PostEditTimeLimit control via patch and update API endpoints, allowing indefinite modification of non-message post metadata after the intended edit window expires. CVSS 3.1 (Low) reflects network vector with high complexity and low-privilege requirements, while no public exploit or CISA KEV listing exists at time of analysis.
OpenClaw before 2026.4.23 fails to invalidate cached webhook route secrets after rotation, allowing attackers with previously valid secrets to continue authenticating webhook requests and invoking task flows until gateway restart. The vulnerability affects SecretRef-backed webhook authentication where the resolved secret is cached at startup rather than re-resolved per request, weakening credential rotation effectiveness. Vendor-released patch available in version 2026.4.23.
Bearer token revocation bypass in OpenClaw gateway allows attackers to authenticate using rotated-out tokens until process restart. OpenClaw gateway HTTP and WebSocket handlers captured bearer authentication configuration at startup, failing to re-resolve credentials after SecretRef rotation. Attackers possessing a previously valid token can maintain unauthorized gateway access to /v1/* endpoints, /tools/invoke, plugin routes, and canvas upgrade paths even after operators rotate secrets, believing the old token is revoked. Fixed in version 2026.4.15. CVSS 9.2 reflects network-accessible attack with high complexity; no public exploit identified at time of analysis.
Mattermost 10.11.x through 10.11.10 fails to clear cached permalink preview data when a user's channel access is revoked, allowing authenticated users to view private channel content through previously cached previews until the cache expires or they re-login. An authenticated attacker who previously had access to a private channel can exploit this to maintain visibility into sensitive channel communications after access removal. A patch is not currently available for this medium-severity vulnerability.
Parse Server's TOTP-based multi-factor authentication fails to invalidate recovery codes after use, allowing an attacker with a single recovery code to authenticate repeatedly as an affected user. This vulnerability impacts Parse Server deployments prior to versions 9.6.0-alpha.7 and 8.6.33, where recovery codes intended as single-use fallback mechanisms can be exploited indefinitely to bypass MFA protections. No patch is currently available for affected versions.
In Plex Media Server (PMS) through 1.42.2.10156, ability to access /myplex/account with a device token is not properly aligned with whether the device is currently associated with an account. [CVSS 7.1 HIGH]
MongoDB Server may allow upsert operations retried within a transaction to violate unique index constraints, potentially causing an invariant failure and server crash during commit. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Critical SSL pinning bypass vulnerability in the deprecated Amazon Cloud Cam that allows unauthenticated attackers on the same network to intercept and modify device traffic by associating the camera to an arbitrary network during its default pairing state. The vulnerability affects all Amazon Cloud Cam units, which reached end-of-life on December 2, 2022, and are no longer receiving security updates. An attacker can exploit this to eavesdrop on video streams, modify device configuration, or potentially gain unauthorized access to associated AWS infrastructure.
This issue was addressed through improved state management. Rated high severity (CVSS 7.1), this vulnerability is no authentication required, low attack complexity. No vendor patch available.