EUVD-2026-29541CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionNVD
JunoClaw is an agentic AI platform built on Juno Network. Prior to 0.x.y-security-1, every MCP write tool (send_tokens, execute_contract, instantiate_contract, upload_wasm, ibc_transfer, etc.) accepted 'mnemonic: string' as an explicit tool-call parameter. The BIP-39 seed was consequently embedded in the LLM tool-call JSON, exposing it to any transport, log, or telemetry surface in the path between the LLM provider and the MCP process. This vulnerability is fixed in 0.x.y-security-1.
AnalysisAI
JunoClaw agentic AI platform exposes BIP-39 wallet mnemonics in plaintext through LLM tool-call parameters, leaking cryptocurrency private keys to logs, telemetry, and transport channels between AI providers and blockchain execution. Every blockchain write operation (token transfers, smart contract deployment, IBC transactions) required the 12- or 24-word seed phrase as a JSON parameter visible to the language model, API logs, and any middleware. …
Sign in for full analysis, threat intelligence, and remediation guidance.
RemediationAI
Within 24 hours: Identify all JunoClaw instances running versions prior to 0.x.y-security-1 and isolate affected systems from production blockchain operations; revoke all wallet mnemonics exposed through logs or telemetry by transferring assets to new wallets generated outside JunoClaw. Within 7 days: Upgrade all JunoClaw deployments to version 0.x.y-security-1 or later; rotate all cryptocurrency credentials and regenerate wallet identities using the new encrypted wallet registry. …
Sign in for detailed remediation steps.
Share
External POC / Exploit Code
Leaving vuln.today