Severity by source
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Local vector and low privileges required; scope change (S:C) because the agent escapes its outbox boundary to read host files; no integrity or availability impact applies.
Primary rating from Vendor (VulnCheck).
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
NanoClaw before 2.1.17 contains a symlink following vulnerability in forwardAttachedFiles that allows container-controlled agents to exfiltrate host-readable files. The host validates attachment filenames using only isSafeAttachmentName before copying with fs.copyFileSync, which follows symlinks without containment checks, allowing malicious agents to disclose arbitrary host files.
AnalysisAI
Symlink following in NanoClaw's agent-to-agent file forwarding exposes arbitrary host-readable files to container-controlled agents. All releases before 2.1.17 are affected; the forwardAttachedFiles function validated attachment filenames with isSafeAttachmentName but called fs.copyFileSync without first resolving symlinks or confirming the resolved path remained inside the agent's outbox directory. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the attacker to control an agent process with write access to that agent's own outbox directory within a NanoClaw deployment (PR:L per CVSS 4.0 - low-privilege agent-level access). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | CVSS 4.0 scores this at 6.8 with AV:L/PR:L, accurately reflecting that exploitation is constrained to the local host and requires at minimum agent-process-level access - this is not a remotely exploitable, unauthenticated attack. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker controlling an agent process creates a file named `invoice.pdf` inside the agent's outbox directory that is actually a symlink to `/home/nanoclaw/.ssh/id_rsa` or `/etc/shadow`. The agent sends a message to another agent listing `invoice.pdf` as an attachment; NanoClaw's unpatched `forwardAttachedFiles` passes the filename check, calls `fs.copyFileSync` which follows the symlink, and delivers the host private key contents to the destination agent's inbox. … |
| Remediation | Upgrade to NanoClaw 2.1.17 or later, which incorporates the symlink detection and path containment fix from PR #2468 (commit 28032bc0eca76c91fb3d8be0013e8bcaf2f5aeae); see https://github.com/nanocoai/nanoclaw/pull/2468. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Path traversal in NanoClaw's container filesystem boundary allows compromised containers or prompt-injected agents to es
Privilege escalation in NanoClaw before 2.1.17 lets remote attackers with a valid questionId approve or reject privilege
Privilege escalation in NanoClaw before 2.1.17 allows confined agent containers to bypass their architectural confinemen
Privilege escalation in NanoClaw before 2.1.0 lets scoped admins cross agent-group authorization boundaries by submittin
Same weakness CWE-59 – Improper Link Resolution Before File Access
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38464
GHSA-6373-p7g2-mx2w