Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionGitHub Advisory
JunoClaw is an agentic AI platform built on Juno Network. Prior to 0.x.y-security-1, every MCP write tool (send_tokens, execute_contract, instantiate_contract, upload_wasm, ibc_transfer, etc.) accepted 'mnemonic: string' as an explicit tool-call parameter. The BIP-39 seed was consequently embedded in the LLM tool-call JSON, exposing it to any transport, log, or telemetry surface in the path between the LLM provider and the MCP process. This vulnerability is fixed in 0.x.y-security-1.
AnalysisAI
JunoClaw agentic AI platform exposes BIP-39 wallet mnemonics in plaintext through LLM tool-call parameters, leaking cryptocurrency private keys to logs, telemetry, and transport channels between AI providers and blockchain execution. Every blockchain write operation (token transfers, smart contract deployment, IBC transactions) required the 12- or 24-word seed phrase as a JSON parameter visible to the language model, API logs, and any middleware. Version 0.x.y-security-1 eliminates mnemonic exposure by introducing a wallet registry with AES-256-GCM encrypted storage and opaque wallet_id references. EPSS data not available for this recent CVE; no public exploit identified at time of analysis.
Technical ContextAI
JunoClaw implements Model Context Protocol (MCP) tools that bridge large language models to Cosmos blockchain networks (Juno Network, Celestia DA layer). The vulnerable architecture passed raw BIP-39 mnemonic phrases-the master secret for hierarchical deterministic wallets-as explicit string parameters in MCP tool invocations. These JSON-serialized tool calls traverse the entire stack: LLM provider APIs (OpenAI, Anthropic, local Ollama instances), MCP transport layers, conversation logs, and telemetry systems. CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) applies because cryptographic secrets appeared in data structures designed for observable application state. The fix introduces a two-tier key management system: wallet identifiers map to AES-256-GCM encrypted envelopes stored locally (~/.junoclaw/wallets/), with data encryption keys derived either from scrypt-hashed passphrases (JUNOCLAW_WALLET_PASSPHRASE, N=2^17, r=8, p=1) or OS credential managers via @napi-rs/keyring (Windows DPAPI, macOS Keychain, Linux libsecret). Each encryption uses fresh 12-byte IVs and GCM authentication tags for tamper detection. The vulnerable codebase exposed CPE cpe:2.3:a:dragonmonk111:junoclaw affected all pre-security-1 versions.
RemediationAI
Upgrade immediately to JunoClaw v0.x.y-security-1 or later from https://github.com/Dragonmonk111/junoclaw/releases/tag/v0.x.y-security-1, which replaces mnemonic parameters with encrypted wallet_id references. After upgrading, migrate existing mnemonics using the cosmos-mcp wallet enrollment process: for OS-bound security run 'cosmos-mcp wallet add <id> --chain <chainId> --backend keychain --mnemonic-stdin' (requires @napi-rs/keyring optional dependency), or for passphrase-protected portability set JUNOCLAW_WALLET_PASSPHRASE and use '--backend passphrase'. Update all agent prompts and MCP tool configurations to pass wallet_id instead of mnemonic. Rotate any mnemonics that were used with vulnerable versions-assume they were logged by LLM provider infrastructure and transfer funds to fresh wallets generated post-patch. For operators unable to upgrade immediately, implement emergency compensating controls: (1) restrict MCP server to localhost-only binding with local Ollama models to eliminate network transit, (2) disable all write tools in mcp_config.json tool allowlists, (3) set up egress filtering to block MCP process network access to LLM provider IPs. These mitigations severely limit functionality (no cloud LLM access, read-only blockchain queries) but prevent further mnemonic leakage until patching completes. Verify wallet encryption with 'cosmos-mcp wallet list' showing backend=keychain or backend=passphrase for all entries, and confirm file permissions 0600 on ~/.junoclaw/wallets/*.enc. No side effects reported for the patched wallet registry; commit diff at https://github.com/Dragonmonk111/junoclaw/commit/339701e shows backward-compatible CLI with clear migration path.
Arbitrary file read in JunoClaw's MCP upload_wasm tool allows local attackers to exfiltrate any file accessible to the a
Command injection in JunoClaw's plugin-shell allowed adversarial argument construction to bypass the substring-based blo
Command injection in JunoClaw agentic AI platform versions prior to 0.x.y-security-1 allows local attackers to execute a
Server-Side Request Forgery in JunoClaw's WAVS bridge allows remote attackers to exploit the computeDataVerify function,
Same weakness CWE-200 – Information Exposure
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-29541