Skip to main content

clawlet CVE-2026-15618

LOW
Protection Mechanism Failure (CWE-693)
2026-07-14 cna@vuldb.com
2.1
CVSS 4.0 · Vendor: vuldb

Severity by source

Vendor (vuldb) PRIMARY
2.1 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
6.3 MEDIUM

Network vector confirmed; user interaction required per 4.0 UI:P; no scope change; all impacts low per 4.0 VC/VI/VA:L.

3.1 AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (vuldb).

CVSS VectorVendor: vuldb

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jul 14, 2026 - 00:32 vuln.today

DescriptionCVE.org

A security flaw has been discovered in mosaxiv clawlet up to 0.2.10. The affected element is the function guardExecCommand of the file tools/tool_exec.go of the component exec Safety Guard. The manipulation results in protection mechanism failure. It is possible to launch the attack remotely. The exploit has been released to the public and may be used for attacks. The reported GitHub issue was closed with the label "not planned".

AnalysisAI

Protection mechanism failure in mosaxiv clawlet up to version 0.2.10 allows remote attackers to bypass the exec Safety Guard, undermining the tool's core command-execution restriction logic. The vulnerability resides in the guardExecCommand function within tools/tool_exec.go, where insufficient enforcement of protection controls permits manipulation that should otherwise be blocked. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Deliver crafted input via network
Delivery
Trigger user-initiated workflow
Exploit
Supply malicious exec argument
Execution
guardExecCommand fails to block
Persist
Achieve limited command execution
Impact
Access or modify low-sensitivity data

Vulnerability AssessmentAI

Exploitation Exploitation requires network access to an endpoint or workflow that invokes the `guardExecCommand` function in clawlet's `tools/tool_exec.go`. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Despite the severe-sounding description of a protection mechanism bypass, the aggregated risk signals point to a low-priority finding for most organizations. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who can deliver crafted input to a system where clawlet's exec Safety Guard is invoked - such as through a web endpoint or automated pipeline that processes external data - manipulates the input to cause `guardExecCommand` to fail to block an otherwise-restricted exec call. With passive user interaction involved (for example, a user triggering a workflow that processes attacker-supplied content), the guard is bypassed, resulting in limited disclosure or modification of data on the vulnerable system. …
Remediation No vendor-released patch has been identified at time of analysis - the upstream GitHub issue (https://github.com/mosaxiv/clawlet/issues/12) was closed with the label 'not planned', meaning the maintainer does not intend to fix this vulnerability. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-15618 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy