Skip to main content

picoclaw CVE-2026-36045

HIGH
OS Command Injection (CWE-78)
2026-05-27 cve@mitre.org GHSA-cv2p-68f4-f4pw
7.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.3 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Source Code Evidence Fetched
May 28, 2026 - 14:22 vuln.today
Analysis Generated
May 28, 2026 - 14:22 vuln.today
CVSS changed
May 28, 2026 - 14:22 NVD
7.3 (HIGH)
CVE Published
May 27, 2026 - 14:16 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

picoclaw <=v0.1.2 and earlier is vulnerable to OS command injection via the ExecTool component (pkg/tools/shell.go). The guardCommand() function attempts to restrict shell command execution using a denylist of 8 regular expressions, but the denylist is incomplete.

AnalysisAI

OS command injection in sipeed picoclaw v0.1.2 and earlier allows remote attackers to bypass an incomplete denylist-based sanitizer in the ExecTool component and execute arbitrary shell commands on the host. The guardCommand() function in pkg/tools/shell.go relies on only eight regex denylist patterns, which is insufficient to block the wide range of shell metacharacters and command-chaining techniques available to an attacker. No public exploit identified at time of analysis, though a third-party gist documenting the issue is referenced from NVD.

Technical ContextAI

picoclaw is a Go-based AI/agent project from sipeed that exposes an ExecTool capability allowing shell command execution, intended to be gated by a safety filter. The vulnerability resides in pkg/tools/shell.go, where guardCommand() implements input validation as a denylist of eight regular expressions rather than an allowlist or proper shell-argument parsing. This is a textbook CWE-78 (Improper Neutralization of Special Elements used in an OS Command) flaw: denylist sanitization for shell input is well known to be fundamentally incomplete because attackers can use alternate quoting, encoding, environment-variable expansion, subshells ($(...), backticks), redirection, IFS manipulation, or simply unlisted binaries to evade pattern matching. Because the tool is invoked through the agent's command-execution path, any user able to reach that path can supply payloads that survive the filter.

Affected ProductsAI

sipeed picoclaw versions v0.1.2 and earlier are affected, specifically the ExecTool component in pkg/tools/shell.go. No CPE strings were provided in the input. The v0.1.2 release is documented at https://github.com/sipeed/picoclaw/releases/tag/v0.1.2, and the release notes do not mention a security fix for guardCommand(), suggesting v0.1.2 itself remains vulnerable.

RemediationAI

No vendor-released patch identified at time of analysis - the v0.1.2 release notes (https://github.com/sipeed/picoclaw/releases/tag/v0.1.2) contain only feature and CI changes with no reference to guardCommand() hardening. As compensating controls, operators should disable or remove the ExecTool capability from any agent/tool registry exposed to untrusted input, replace the denylist approach in pkg/tools/shell.go with a strict allowlist of permitted binaries invoked via exec.Command without a shell (avoiding sh -c and similar wrappers), and run the picoclaw process under a dedicated low-privilege user inside a container or seccomp/AppArmor profile that restricts spawning new processes and outbound network access - accepting that disabling ExecTool will break any legitimate agent workflow that depends on shell execution. Network-level mitigations include placing picoclaw behind authentication and restricting reachability to trusted operators only until an upstream fix lands. Track the upstream repo at https://github.com/sipeed/picoclaw for a release that rewrites guardCommand() or removes the shell path entirely.

Share

CVE-2026-36045 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy