Snyk has a proof-of-concept or detailed explanation of how to exploit this vulnerability.
The probability is the direct output of the EPSS model, and conveys an overall sense of the threat of exploitation in the wild. The percentile measures the EPSS probability relative to all known EPSS scores. Note: This data is updated daily, relying on the latest available EPSS model version. Check out the EPSS documentation for more details.
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsLearn about Missing Authentication for Critical Function vulnerabilities in an interactive lesson.
Start learningUpgrade @enderfga/claw-orchestrator to version 3.5.6 or higher.
@enderfga/claw-orchestrator is a Claw Orchestrator — run Claude Code, Codex, Gemini, Cursor Agent, OpenCode and custom coding CLIs as one unified runtime. Drop into Hermes Agent, Claude Desktop, Cursor, Cline, Continue, Zed, Windsurf, Goose or any Model Context Protocol (MCP) host, insta
Affected versions of this package are vulnerable to Missing Authentication for Critical Function via the EmbeddedServer API endpoint in src/embedded-server.ts. An attacker can access protected server routes without credentials by sending requests to the embedded HTTP server. The server processes API requests unauthenticated by default, so remote clients can invoke the embedded management endpoints and perform actions that should require a token. This exposes the user's running orchestrator instance to unauthorized access and control.
Notes
OPENCLAW_SERVER_TOKEN is unset, the process accepts requests without any credential gate instead of requiring an explicit token configuration.