Publish Advisories

advisory-database[bot] · advisory-database[bot] · commit cca95b494ba7 · 2026-04-06T16:46:34.000Z
GHSA-gjxx-92w9-8v8f GHSA-v9p7-gf3q-h779 GHSA-x2f5-332j-9xwq GHSA-63mg-xp9j-jfcm GHSA-g87c-r2jp-293w GHSA-g9c2-gf25-3x67
diff --git a/advisories/github-reviewed/2026/03/GHSA-gjxx-92w9-8v8f/GHSA-gjxx-92w9-8v8f.json b/advisories/github-reviewed/2026/03/GHSA-gjxx-92w9-8v8f/GHSA-gjxx-92w9-8v8f.json
@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-gjxx-92w9-8v8f",
-  "modified": "2026-03-27T19:58:19Z",
+  "modified": "2026-04-06T16:44:03Z",
   "published": "2026-03-27T19:58:19Z",
   "aliases": [
     "CVE-2026-34076"
@@ -109,6 +109,10 @@
       "type": "WEB",
       "url": "https://github.com/clerk/javascript/security/advisories/GHSA-gjxx-92w9-8v8f"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34076"
+    },
     {
       "type": "PACKAGE",
       "url": "https://github.com/clerk/javascript"
@@ -121,6 +125,6 @@
     "severity": "HIGH",
     "github_reviewed": true,
     "github_reviewed_at": "2026-03-27T19:58:19Z",
-    "nvd_published_at": null
+    "nvd_published_at": "2026-04-01T18:16:29Z"
   }
 }
diff --git a/advisories/github-reviewed/2026/03/GHSA-v9p7-gf3q-h779/GHSA-v9p7-gf3q-h779.json b/advisories/github-reviewed/2026/03/GHSA-v9p7-gf3q-h779/GHSA-v9p7-gf3q-h779.json
@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-v9p7-gf3q-h779",
-  "modified": "2026-03-30T17:07:54Z",
+  "modified": "2026-04-06T16:43:56Z",
   "published": "2026-03-30T17:07:53Z",
   "aliases": [
     "CVE-2026-33949"
@@ -43,6 +43,10 @@
       "type": "WEB",
       "url": "https://github.com/tinacms/tinacms/security/advisories/GHSA-v9p7-gf3q-h779"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33949"
+    },
     {
       "type": "PACKAGE",
       "url": "https://github.com/tinacms/tinacms"
@@ -56,6 +60,6 @@
     "severity": "HIGH",
     "github_reviewed": true,
     "github_reviewed_at": "2026-03-30T17:07:53Z",
-    "nvd_published_at": null
+    "nvd_published_at": "2026-04-01T17:28:39Z"
   }
 }
diff --git a/advisories/github-reviewed/2026/03/GHSA-x2f5-332j-9xwq/GHSA-x2f5-332j-9xwq.json b/advisories/github-reviewed/2026/03/GHSA-x2f5-332j-9xwq/GHSA-x2f5-332j-9xwq.json
@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-x2f5-332j-9xwq",
-  "modified": "2026-03-30T17:08:25Z",
+  "modified": "2026-04-06T16:44:36Z",
   "published": "2026-03-30T17:08:25Z",
   "aliases": [
     "CVE-2026-33990"
@@ -40,6 +40,10 @@
       "type": "WEB",
       "url": "https://github.com/docker/model-runner/security/advisories/GHSA-x2f5-332j-9xwq"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33990"
+    },
     {
       "type": "PACKAGE",
       "url": "https://github.com/docker/model-runner"
@@ -52,6 +56,6 @@
     "severity": "MODERATE",
     "github_reviewed": true,
     "github_reviewed_at": "2026-03-30T17:08:25Z",
-    "nvd_published_at": null
+    "nvd_published_at": "2026-04-01T17:28:39Z"
   }
 }
diff --git a/advisories/github-reviewed/2026/04/GHSA-63mg-xp9j-jfcm/GHSA-63mg-xp9j-jfcm.json b/advisories/github-reviewed/2026/04/GHSA-63mg-xp9j-jfcm/GHSA-63mg-xp9j-jfcm.json
@@ -1,13 +1,13 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-63mg-xp9j-jfcm",
-  "modified": "2026-04-01T00:01:10Z",
+  "modified": "2026-04-06T16:46:04Z",
   "published": "2026-04-01T00:01:10Z",
   "aliases": [
     "CVE-2026-33578"
   ],
   "summary": "OpenClaw: Google Chat and Zalouser group sender allowlist bypass via policy downgrade",
-  "details": "## Summary\n\nWhen only a route-level group allowlist was configured, sender policy resolution silently downgraded from `allowlist` to `open` instead of preserving the configured group policy.\n\n## Impact\n\nAny member of an allowlisted Google Chat space or Zalouser group could interact with the bot even when the operator intended sender-level restrictions.\n\n## Affected Component\n\n`extensions/googlechat/src/monitor-access.ts, extensions/zalouser/src/monitor.ts`\n\n## Fixed Versions\n\n- Affected: `<= 2026.3.24`\n- Patched: `>= 2026.3.28`\n- Latest stable `2026.3.28` contains the fix.\n\n## Fix\n\nFixed by commit `e64a881ae0` (`Channels: preserve routed group policy`).",
+  "details": "## Summary\n\nWhen only a route-level group allowlist was configured, sender policy resolution silently downgraded from `allowlist` to `open` instead of preserving the configured group policy.\n\n## Impact\n\nAny member of an allowlisted Google Chat space or Zalouser group could interact with the bot even when the operator intended sender-level restrictions.\n\n## Affected Component\n\n`extensions/googlechat/src/monitor-access.ts, extensions/zalouser/src/monitor.ts`\n\n## Fixed Versions\n\n- Affected: `<= 2026.3.24`\n- Patched: `>= 2026.3.28`\n- Latest stable `2026.3.28` contains the fix.\n\n## Fix\n\nFixed by commit `e64a881ae0` (`Channels: preserve routed group policy`).\n\nOpenClaw thanks @AntAISecurityLab for reporting.",
   "severity": [
     {
       "type": "CVSS_V3",
diff --git a/advisories/github-reviewed/2026/04/GHSA-g87c-r2jp-293w/GHSA-g87c-r2jp-293w.json b/advisories/github-reviewed/2026/04/GHSA-g87c-r2jp-293w/GHSA-g87c-r2jp-293w.json
@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-g87c-r2jp-293w",
-  "modified": "2026-04-01T00:23:02Z",
+  "modified": "2026-04-06T16:44:07Z",
   "published": "2026-04-01T00:23:02Z",
   "aliases": [
     "CVE-2026-34603"
@@ -43,6 +43,10 @@
       "type": "WEB",
       "url": "https://github.com/tinacms/tinacms/security/advisories/GHSA-g87c-r2jp-293w"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34603"
+    },
     {
       "type": "WEB",
       "url": "https://github.com/tinacms/tinacms/commit/f124eabaca10dac9a4d765c9e4135813c4830955"
@@ -60,6 +64,6 @@
     "severity": "HIGH",
     "github_reviewed": true,
     "github_reviewed_at": "2026-04-01T00:23:02Z",
-    "nvd_published_at": null
+    "nvd_published_at": "2026-04-01T17:28:41Z"
   }
 }
diff --git a/advisories/github-reviewed/2026/04/GHSA-g9c2-gf25-3x67/GHSA-g9c2-gf25-3x67.json b/advisories/github-reviewed/2026/04/GHSA-g9c2-gf25-3x67/GHSA-g9c2-gf25-3x67.json
@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-g9c2-gf25-3x67",
-  "modified": "2026-04-01T00:25:22Z",
+  "modified": "2026-04-06T16:44:11Z",
   "published": "2026-04-01T00:25:22Z",
   "aliases": [
     "CVE-2026-34604"
@@ -43,6 +43,10 @@
       "type": "WEB",
       "url": "https://github.com/tinacms/tinacms/security/advisories/GHSA-g9c2-gf25-3x67"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34604"
+    },
     {
       "type": "WEB",
       "url": "https://github.com/tinacms/tinacms/commit/f124eabaca10dac9a4d765c9e4135813c4830955"
@@ -60,6 +64,6 @@
     "severity": "HIGH",
     "github_reviewed": true,
     "github_reviewed_at": "2026-04-01T00:25:22Z",
-    "nvd_published_at": null
+    "nvd_published_at": "2026-04-01T17:28:41Z"
   }
 }
