Skip to main content

NanoClaw CVE-2026-7875

| EUVDEUVD-2026-27873 CRITICAL
Path Traversal (CWE-22)
2026-05-06 VulnCheck GHSA-42p7-cwm7-4cjg
9.3
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
9.3 CRITICAL
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

4
Source Code Evidence Fetched
May 06, 2026 - 17:30 vuln.today
Analysis Generated
May 06, 2026 - 17:30 vuln.today
Severity Changed
May 06, 2026 - 17:22 NVD
HIGH CRITICAL
CVSS changed
May 06, 2026 - 17:22 NVD
8.8 (HIGH) 9.3 (CRITICAL)

DescriptionCVE.org

NanoClaw contains a host/container filesystem boundary vulnerability in outbound attachment handling and outbox cleanup that allows a compromised or prompt-injected container to read files outside the intended outbox directory by supplying crafted messages_out.id and content.files values or creating symlinked outbox files. Attackers can exploit this vulnerability to trigger host-side reads of arbitrary files and in some cases achieve recursive deletion of paths outside the intended cleanup target.

AnalysisAI

Path traversal in NanoClaw's container filesystem boundary allows compromised containers or prompt-injected agents to escape isolation and read arbitrary host files via crafted message IDs and attachment paths, with potential for recursive deletion of host directories during outbox cleanup. The vulnerability exploits insufficient validation of outbound attachment filenames and symlink resolution in the host-side message handling code. Upstream fix available (GitHub commit 7814e45) but released patched version not independently confirmed. No public exploit identified at time of analysis, though proof-of-concept test cases demonstrate both file exfiltration and destructive cleanup paths.

Technical ContextAI

NanoClaw is an AI agent framework that runs containerized agents with isolated filesystem access. The vulnerability exists in the host-side TypeScript code (host-core.ts, session-manager.ts) that processes messages_out.id and content.files values from containers. CWE-22 (path traversal) occurs because the readOutboxFiles and clearOutbox functions failed to validate that supplied message IDs and attachment filenames resolve within the intended session outbox directory. The code accepts traversal sequences like '../../../..' in both message IDs (used to construct outbox paths) and attachment filenames (used for file reads). Additionally, the host followed symlinks created by containers, allowing a container with /workspace write access to pre-create inbox/<msgId> as a symlink pointing outside the session directory. The fix adds path.basename() validation and realpath resolution checks to ensure all file operations stay within session boundaries, plus the 'wx' flag to prevent following pre-existing symlinks during inbound attachment writes.

RemediationAI

Apply the upstream fix by updating to NanoClaw code at or after commit 7814e45570edf0024a1a5c2ba9fbc9cb3a49f7f7 available at https://github.com/qwibitai/nanoclaw/commit/7814e45570edf0024a1a5c2ba9fbc9cb3a49f7f7 and reviewed in PR #2001 at https://github.com/qwibitai/nanoclaw/pull/2001. Released patched version number not confirmed from available data; verify with vendor for tagged release. If immediate patching is not feasible, implement compensating controls: (1) restrict container /workspace write access to prevent symlink pre-creation in inbox directories (trade-off: may break legitimate agent file operations), (2) implement additional message ID validation at the application layer before passing to NanoClaw session manager (e.g., regex whitelist for alphanumeric-only IDs), (3) run NanoClaw host processes with minimal filesystem permissions using mandatory access controls (SELinux, AppArmor) to contain damage from path traversal (trade-off: complex policy development, may interfere with normal operations), (4) deploy filesystem monitoring to detect unexpected access patterns outside session directories (detection-only, does not prevent exploitation). Note that workarounds (2-4) are partial mitigations; only the vendor patch fully addresses all attack vectors including symlink following and recursive deletion.

Share

CVE-2026-7875 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy