Skip to main content

JunoClaw CVE-2026-43990

| EUVDEUVD-2026-29539 HIGH
Command Injection (CWE-77)
2026-05-12 GitHub_M
8.4
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.4 HIGH
AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Source Code Evidence Fetched
May 12, 2026 - 17:16 vuln.today
Analysis Generated
May 12, 2026 - 17:16 vuln.today
CVE Published
May 12, 2026 - 16:22 nvd
HIGH 8.4

DescriptionGitHub Advisory

JunoClaw is an agentic AI platform built on Juno Network. Prior to 0.x.y-security-1, plugin-shell's run_command wrapped every agent-supplied command in 'sh -c' / 'cmd /C' and passed the full argument string to the shell's parser, allowing shell metacharacters in agent-supplied arguments to be interpreted as command syntax. This vulnerability is fixed in 0.x.y-security-1.

AnalysisAI

Command injection in JunoClaw agentic AI platform versions prior to 0.x.y-security-1 allows local attackers to execute arbitrary shell commands with high integrity and confidentiality impact. The plugin-shell component wrapped agent-supplied commands in 'sh -c' or 'cmd /C' without sanitizing shell metacharacters, enabling malicious AI agents or compromised agent inputs to break out of intended command boundaries. CISA KEV status: not listed. Public exploit code: GitHub commit 2bc54f6 demonstrates the vulnerable code path and fix implementation. EPSS data: not available. The vendor-released patch (0.x.y-security-1) removes the shell wrapper entirely and implements a strict allowlist plus compile-time feature gate.

Technical ContextAI

JunoClaw is a Rust-based agentic AI platform (cpe:2.3:a:dragonmonk111:junoclaw) that provides plugin-shell for executing system commands requested by AI agents. The vulnerability stems from CWE-77 (Improper Neutralization of Special Elements used in a Command). Vulnerable versions passed agent-supplied arguments through shell interpreters (sh -c on Unix, cmd /C on Windows) without escaping. This design allowed shell metacharacters like semicolons, backticks, pipe symbols, and command substitution syntax to be interpreted as control flow rather than data. The fix replaces the shell wrapper with direct process spawning via Rust's std::process::Command, adds a shell-words parser to safely tokenize arguments, implements a strict allowlist of permitted command names (default: empty), and gates the entire execution subsystem behind an opt-in Cargo feature flag (unsafe-shell). The commit diff shows removal of the substring-based blocklist (described by developers as 'security theatre') and introduction of tempfile and shell-words dependencies for safe argument handling.

RemediationAI

Upgrade to JunoClaw version 0.x.y-security-1 or later (release tag: https://github.com/Dragonmonk111/junoclaw/releases/tag/v0.x.y-security-1). The patch (commit 2bc54f6: https://github.com/Dragonmonk111/junoclaw/commit/2bc54f6) introduces breaking changes: shell execution is now gated behind the unsafe-shell Cargo feature flag (disabled by default) and requires explicit allowlist configuration via allowed_commands (defaults to empty). Organizations that need agent shell execution must consciously opt in by enabling the feature flag AND populating the allowlist with specific command names. If upgrading is delayed, implement compensating controls: (1) Run JunoClaw agents in isolated containers or VMs with minimal privileges and no access to sensitive filesystems. (2) Use mandatory access control (AppArmor, SELinux) to restrict the agent process to a minimal command set. (3) Disable the plugin-shell component entirely if agent workflows do not require system command execution (requires code modification in junoclaw-runtime to exclude the shell plugin from initialization). Trade-off: disabling shell execution may break agent workflows that rely on system introspection or file operations. The vendor's SECURITY.md (referenced in commit comments) likely contains additional deployment guidance. If production agents currently rely on the vulnerable shell execution, test thoroughly with the allowlist-based model before deploying the patched version, as the default-deny posture will block previously-permitted commands.

Share

CVE-2026-43990 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy