Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-reachable callback (AV:N), low attacker effort once a questionId is known (AC:L), requires ability to send a callback payload to the bot (PR:L), no user interaction, integrity-only impact via unauthorized approval dispatch.
Primary rating from Vendor (VulnCheck).
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
NanoClaw before 2.1.17 contains a privilege escalation vulnerability in the handleApprovalsResponse function that fails to verify responder role authorization. Attackers with a valid questionId can approve or reject privileged actions like package installation by submitting approval response payloads without proper role validation.
AnalysisAI
Privilege escalation in NanoClaw before 2.1.17 lets remote attackers with a valid questionId approve or reject privileged actions (such as package installation) by submitting crafted approval response payloads. The handleApprovalsResponse function dispatches sensitive handlers without verifying the responder holds an owner/admin role, turning approval callbacks into an authorization bypass. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Attacker must be able to deliver an approval-response callback to NanoClaw's messaging integration (e.g. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N) scores 7.1 and accurately reflects a low-privilege, network-reachable authorization bypass with high integrity impact and no confidentiality or availability loss - consistent with an attacker hijacking approval semantics rather than reading data. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who learns or guesses a pending approval's questionId - for example, by observing an admin DM, intercepting a webhook, or replaying a leaked callback - submits a crafted approval response payload with value 'approve' and an arbitrary userId. The handler accepts it because role validation is missing, executing the privileged action such as installing attacker-chosen npm packages into the agent's container. … |
| Remediation | Upgrade NanoClaw to 2.1.17 or later, which incorporates the upstream fix from commit 6227bd1a5b016fb1eb76411bb6681b4c924a51a0 (PR https://github.com/nanocoai/nanoclaw/pull/2478) that validates the responder's role against the permissions database before dispatching approval handlers. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: identify all NanoClaw instances and versions in your environment. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Path traversal in NanoClaw's container filesystem boundary allows compromised containers or prompt-injected agents to es
Symlink following in NanoClaw's agent-to-agent file forwarding exposes arbitrary host-readable files to container-contro
Privilege escalation in NanoClaw before 2.1.17 allows confined agent containers to bypass their architectural confinemen
Privilege escalation in NanoClaw before 2.1.0 lets scoped admins cross agent-group authorization boundaries by submittin
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38463
GHSA-mhq9-hcw8-22mj