Skip to main content

clawlet CVE-2026-16017

| EUVDEUVD-2026-45175 LOW
Missing Authorization (CWE-862)
2026-07-17 VulDB GHSA-xp4x-w877-82xm
2.1
CVSS 4.0 · Vendor: VulDB

Severity by source

Vendor (VulDB) PRIMARY
2.1 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
6.3 MEDIUM

Network-accessible endpoint requires only low-privilege auth (PR:L); no scope change; all three impacts low since only cron job data is exposed or deletable.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (VulDB).

CVSS VectorVendor: VulDB

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

4
Severity Changed
Jul 17, 2026 - 15:22 NVD
MEDIUM LOW
CVSS changed
Jul 17, 2026 - 15:22 NVD
5.3 (MEDIUM) 2.1 (LOW)
Analysis Generated
Jul 17, 2026 - 15:15 vuln.today
CVE Published
Jul 17, 2026 - 14:15 cve.org
MEDIUM 5.3

DescriptionCVE.org

A security flaw has been discovered in mosaxiv clawlet up to 0.2.10. Impacted is the function list/remove of the file tools/tool_cron.go of the component cron Chat Tool. The manipulation results in missing authorization. The attack may be performed from remote. The exploit has been released to the public and may be used for attacks. The reported GitHub issue was closed with the label "not planned".

AnalysisAI

Missing authorization in mosaxiv clawlet up to version 0.2.10 allows low-privileged remote attackers to list and remove cron jobs through the cron Chat Tool component without proper permission checks. The affected functions are list and remove in tools/tool_cron.go, enabling unauthorized enumeration and deletion of scheduled tasks. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain low-privilege clawlet credentials
Delivery
Send HTTP request to cron list endpoint
Exploit
Enumerate all scheduled cron jobs
Execution
Send remove request targeting desired job
Impact
Cron job deleted without authorization check

Vulnerability AssessmentAI

Exploitation Requires a valid low-privilege authenticated session in clawlet (PR:L confirmed by CVSS 4.0 vector). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 score of 5.3 (Medium) reflects a network-accessible, low-complexity attack requiring only low privileges with low C/I/A impacts - an accurate picture for unauthorized cron job list and removal. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who holds any valid low-privilege account on a clawlet instance sends crafted HTTP requests to the cron Chat Tool's list endpoint to enumerate all scheduled cron jobs, then issues remove requests against targeted jobs to disrupt scheduled operations. Because a public proof-of-concept is available via GitHub issue #17, this scenario requires minimal attacker capability beyond possessing valid credentials.
Remediation No vendor-released patch exists and none is planned - the GitHub issue was closed as 'not planned' (https://github.com/mosaxiv/clawlet/issues/17). … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-16017 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy