Skip to main content

JunoClaw CVE-2026-43992

| EUVDEUVD-2026-29541 CRITICAL
Information Exposure (CWE-200)
2026-05-12 GitHub_M
9.8
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Source Code Evidence Fetched
May 12, 2026 - 17:17 vuln.today
Analysis Generated
May 12, 2026 - 17:17 vuln.today
CVE Published
May 12, 2026 - 16:25 nvd
CRITICAL 9.8

DescriptionGitHub Advisory

JunoClaw is an agentic AI platform built on Juno Network. Prior to 0.x.y-security-1, every MCP write tool (send_tokens, execute_contract, instantiate_contract, upload_wasm, ibc_transfer, etc.) accepted 'mnemonic: string' as an explicit tool-call parameter. The BIP-39 seed was consequently embedded in the LLM tool-call JSON, exposing it to any transport, log, or telemetry surface in the path between the LLM provider and the MCP process. This vulnerability is fixed in 0.x.y-security-1.

AnalysisAI

JunoClaw agentic AI platform exposes BIP-39 wallet mnemonics in plaintext through LLM tool-call parameters, leaking cryptocurrency private keys to logs, telemetry, and transport channels between AI providers and blockchain execution. Every blockchain write operation (token transfers, smart contract deployment, IBC transactions) required the 12- or 24-word seed phrase as a JSON parameter visible to the language model, API logs, and any middleware. Version 0.x.y-security-1 eliminates mnemonic exposure by introducing a wallet registry with AES-256-GCM encrypted storage and opaque wallet_id references. EPSS data not available for this recent CVE; no public exploit identified at time of analysis.

Technical ContextAI

JunoClaw implements Model Context Protocol (MCP) tools that bridge large language models to Cosmos blockchain networks (Juno Network, Celestia DA layer). The vulnerable architecture passed raw BIP-39 mnemonic phrases-the master secret for hierarchical deterministic wallets-as explicit string parameters in MCP tool invocations. These JSON-serialized tool calls traverse the entire stack: LLM provider APIs (OpenAI, Anthropic, local Ollama instances), MCP transport layers, conversation logs, and telemetry systems. CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) applies because cryptographic secrets appeared in data structures designed for observable application state. The fix introduces a two-tier key management system: wallet identifiers map to AES-256-GCM encrypted envelopes stored locally (~/.junoclaw/wallets/), with data encryption keys derived either from scrypt-hashed passphrases (JUNOCLAW_WALLET_PASSPHRASE, N=2^17, r=8, p=1) or OS credential managers via @napi-rs/keyring (Windows DPAPI, macOS Keychain, Linux libsecret). Each encryption uses fresh 12-byte IVs and GCM authentication tags for tamper detection. The vulnerable codebase exposed CPE cpe:2.3:a:dragonmonk111:junoclaw affected all pre-security-1 versions.

RemediationAI

Upgrade immediately to JunoClaw v0.x.y-security-1 or later from https://github.com/Dragonmonk111/junoclaw/releases/tag/v0.x.y-security-1, which replaces mnemonic parameters with encrypted wallet_id references. After upgrading, migrate existing mnemonics using the cosmos-mcp wallet enrollment process: for OS-bound security run 'cosmos-mcp wallet add <id> --chain <chainId> --backend keychain --mnemonic-stdin' (requires @napi-rs/keyring optional dependency), or for passphrase-protected portability set JUNOCLAW_WALLET_PASSPHRASE and use '--backend passphrase'. Update all agent prompts and MCP tool configurations to pass wallet_id instead of mnemonic. Rotate any mnemonics that were used with vulnerable versions-assume they were logged by LLM provider infrastructure and transfer funds to fresh wallets generated post-patch. For operators unable to upgrade immediately, implement emergency compensating controls: (1) restrict MCP server to localhost-only binding with local Ollama models to eliminate network transit, (2) disable all write tools in mcp_config.json tool allowlists, (3) set up egress filtering to block MCP process network access to LLM provider IPs. These mitigations severely limit functionality (no cloud LLM access, read-only blockchain queries) but prevent further mnemonic leakage until patching completes. Verify wallet encryption with 'cosmos-mcp wallet list' showing backend=keychain or backend=passphrase for all entries, and confirm file permissions 0600 on ~/.junoclaw/wallets/*.enc. No side effects reported for the patched wallet registry; commit diff at https://github.com/Dragonmonk111/junoclaw/commit/339701e shows backward-compatible CLI with clear migration path.

Share

CVE-2026-43992 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy