Donut AI Security Disclosure Evidence
CVE 申请记录CVE Filing Records
Donut Browser 阶段 9 个 CVE 申请记录集中放在本页。正式发布版本将以实际获得的 CVE 编号替换 Ticket ID,并补充最终 CWE / CVSS。
This page collects the 9 CVE filing records from the Donut Browser phase. The official release will replace the Ticket IDs with the actual CVE numbers and add final CWE / CVSS details.
申请概况Filing Overview
申请要点Filing highlights
- 申请提交日期:2026 年 3 月 21 日Submission date: 2026-03-21
- 申请数量:9 个 CVE 候选编号Count: 9 candidate CVE IDs
- 申请发起方:Lucifiel(独立安全研究员)Filed by: Lucifiel (independent security researcher)
- 申请受理平台:MITRE / 相应 CNAReceiving platform: MITRE / the relevant CNA
- 状态:截至公开披露仍在 CNA / 受理平台流程中;正式 CVE 编号下发后,将在本页补充最终 CVSS 与 CWE 映射。Status: as of public disclosure, still in the CNA / receiving-platform process; once official CVE numbers are issued, the final CVSS and CWE mapping will be added here.
漏洞条目对应关系Vulnerability Mapping
下表为草案阶段映射,最终公开版本将以正式获得的 CVE 编号替换 Ticket ID 并补充 CWE / CVSS 信息:
The table below is a draft-stage mapping; the final public version will replace Ticket IDs with the official CVE numbers and add CWE / CVSS information:
| Ticket IDTicket ID | 对应漏洞Mapped vuln | 漏洞标题Vulnerability title | CWE 候选CWE candidate | 严重性Severity |
|---|---|---|---|---|
2012016 | DB-1 | 服务端交易自动签名 / 执行链路缺失强授权边界Server-side transaction auto-signing / execution path lacks a strong authorization boundary | CWE-862 / CWE-306 | Critical |
2012018 | DB-4 | CORS 子域通配符与 credentials 组合CORS subdomain-wildcard combined with credentials | CWE-942 | Critical |
2012020 | DB-3 | 钱包 / 资产接口 IDORWallet / asset API IDOR | CWE-639 | Critical |
2012022 | DB-6 | Role 参数注入Role-parameter injection | CWE-20 / CWE-915 | High |
2012024 | DB-5 | MCP 工具层认证或权限边界不足Insufficient auth or privilege boundary in the MCP tool layer | CWE-287 / CWE-285 | Critical |
2012026 | DB-7 | 弱认证 / 无认证钱包创建Weak / no-auth wallet creation | CWE-306 | High |
2012030 | DB-8 | Credits / 使用次数限制绕过Credits / usage-limit bypass | CWE-840 | High |
2012032 | DB-9 | AI Agent 配置与 Prompt 泄露AI Agent config and prompt leakage | CWE-200 / CWE-552 | High |
2012034 | DB-10 | 跨用户限价单取消Cross-user limit-order cancellation | CWE-639 | High |
说明Notes::
- Ticket ID 为申请阶段编号,正式发布版本会替换为实际 CVE 编号。Ticket IDs are filing-stage numbers; the final version will replace them with actual CVE numbers.
- CWE 候选为研究员推荐项,最终以受理平台审定结果为准。CWE candidates are the researcher’s suggestions; the receiving platform’s determination is authoritative.
- CVSS 数值与向量将在正式 CVE 编号下发后补充。CVSS scores and vectors will be added once official CVE numbers are issued.
与 49 漏洞总览的关系Relationship to the 49-Vuln Overview
- 9 个 CVE 申请聚焦 Donut Browser 阶段(DB-1 ~ DB-35),覆盖资金安全、IDOR、CORS、MCP、订阅滥用和配置泄露等核心攻击面。The 9 CVE filings focus on the Donut Browser phase (DB-1 – DB-35), covering core attack surfaces such as fund safety, IDOR, CORS, MCP, subscription abuse, and config leakage.
- 其余 DB 编号大多属于辅助攻击面(信息泄露、调试端点、安全加固缺失),不单独申请 CVE,将作为攻击链的辅助证据出现。Most remaining DB items are auxiliary attack surface (info leakage, debug endpoints, missing hardening); they are not filed as separate CVEs and appear as supporting evidence in the attack chains.
- D0 阶段(D0-1 ~ D0-14)的问题是否单独申请 CVE,将根据 D0 系统在公开披露日的状态另行决定,避免与 OpenClaw 上游问题边界混淆。Whether the D0-phase issues (D0-1 – D0-14) are filed as separate CVEs will be decided separately based on the state of the D0 system at the disclosure date, to avoid blurring the boundary with upstream OpenClaw issues.
完整 49 漏洞清单见 主披露 §漏洞总览。
For the full 49-vulnerability list, see the main disclosure §Vulnerability Overview.