Severity by source
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
NanoClaw contains a host/container filesystem boundary vulnerability in outbound attachment handling and outbox cleanup that allows a compromised or prompt-injected container to read files outside the intended outbox directory by supplying crafted messages_out.id and content.files values or creating symlinked outbox files. Attackers can exploit this vulnerability to trigger host-side reads of arbitrary files and in some cases achieve recursive deletion of paths outside the intended cleanup target.
AnalysisAI
Path traversal in NanoClaw's container filesystem boundary allows compromised containers or prompt-injected agents to escape isolation and read arbitrary host files via crafted message IDs and attachment paths, with potential for recursive deletion of host directories during outbox cleanup. The vulnerability exploits insufficient validation of outbound attachment filenames and symlink resolution in the host-side message handling code. Upstream fix available (GitHub commit 7814e45) but released patched version not independently confirmed. No public exploit identified at time of analysis, though proof-of-concept test cases demonstrate both file exfiltration and destructive cleanup paths.
Technical ContextAI
NanoClaw is an AI agent framework that runs containerized agents with isolated filesystem access. The vulnerability exists in the host-side TypeScript code (host-core.ts, session-manager.ts) that processes messages_out.id and content.files values from containers. CWE-22 (path traversal) occurs because the readOutboxFiles and clearOutbox functions failed to validate that supplied message IDs and attachment filenames resolve within the intended session outbox directory. The code accepts traversal sequences like '../../../..' in both message IDs (used to construct outbox paths) and attachment filenames (used for file reads). Additionally, the host followed symlinks created by containers, allowing a container with /workspace write access to pre-create inbox/<msgId> as a symlink pointing outside the session directory. The fix adds path.basename() validation and realpath resolution checks to ensure all file operations stay within session boundaries, plus the 'wx' flag to prevent following pre-existing symlinks during inbound attachment writes.
RemediationAI
Apply the upstream fix by updating to NanoClaw code at or after commit 7814e45570edf0024a1a5c2ba9fbc9cb3a49f7f7 available at https://github.com/qwibitai/nanoclaw/commit/7814e45570edf0024a1a5c2ba9fbc9cb3a49f7f7 and reviewed in PR #2001 at https://github.com/qwibitai/nanoclaw/pull/2001. Released patched version number not confirmed from available data; verify with vendor for tagged release. If immediate patching is not feasible, implement compensating controls: (1) restrict container /workspace write access to prevent symlink pre-creation in inbox directories (trade-off: may break legitimate agent file operations), (2) implement additional message ID validation at the application layer before passing to NanoClaw session manager (e.g., regex whitelist for alphanumeric-only IDs), (3) run NanoClaw host processes with minimal filesystem permissions using mandatory access controls (SELinux, AppArmor) to contain damage from path traversal (trade-off: complex policy development, may interfere with normal operations), (4) deploy filesystem monitoring to detect unexpected access patterns outside session directories (detection-only, does not prevent exploitation). Note that workarounds (2-4) are partial mitigations; only the vendor patch fully addresses all attack vectors including symlink following and recursive deletion.
Privilege escalation in NanoClaw before 2.1.17 lets remote attackers with a valid questionId approve or reject privilege
Symlink following in NanoClaw's agent-to-agent file forwarding exposes arbitrary host-readable files to container-contro
Privilege escalation in NanoClaw before 2.1.17 allows confined agent containers to bypass their architectural confinemen
Privilege escalation in NanoClaw before 2.1.0 lets scoped admins cross agent-group authorization boundaries by submittin
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-27873
GHSA-42p7-cwm7-4cjg