Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
5DescriptionCVE.org
A vulnerability was found in 8421bit MiniClaw up to 223c16a1088e138838dcbd18cd65a37c35ac5a84. Affected is the function executeCognitivePulse of the file src/kernel.ts. Performing a manipulation results in os command injection. It is possible to initiate the attack remotely. The exploit has been made public and could be used. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available. The patch is named 028f62216dee9f64833d0f1cfda7c217067ceba8. To fix this issue, it is recommended to deploy a patch.
AnalysisAI
OS command injection in 8421bit MiniClaw's executeCognitivePulse function allows authenticated remote attackers to inject arbitrary shell commands via unsanitized prompt input passed to external CLI tools. The vulnerability stems from unsafe string interpolation in command construction, enabling execution of system commands with the privileges of the MiniClaw process. Publicly available exploit code exists, and vendor-released patch commit 028f62216dee9f64833d0f1cfda7c217067ceba8 is available on GitHub.
Technical ContextAI
MiniClaw is a Node.js-based application that integrates with external CLI tools (ollama, ccr, gemini, qodercli, etc.) for cognitive processing. The vulnerable executeCognitivePulse function in src/kernel.ts was constructing shell commands by string concatenation, concatenating user-supplied prompts directly into command strings passed to exec() without escaping or validation. The root cause (CWE-78: Improper Neutralization of Special Elements used in an OS Command) resulted from using exec() which spawns a shell and interprets metacharacters. The patch replaces exec() with spawn() using array-based argument passing, which bypasses shell interpretation and prevents command injection. CPE cpe:2.3:a:8421bit:miniclaw:*:*:*:*:*:*:*:* indicates all versions of MiniClaw are potentially affected.
RemediationAI
Deploy patch commit 028f62216dee9f64833d0f1cfda7c217067ceba8 or a later version. The patch replaces unsafe exec() calls with spawn() using array-based argument passing, eliminating shell metacharacter interpretation. Users on rolling releases should pull the latest commit from https://github.com/8421bit/MiniClaw/. Patch details are available at https://github.com/8421bit/MiniClaw/pull/7. If immediate patching is not possible, restrict network access to MiniClaw to trusted internal users only, limit the set of available external CLI tools (removing those not in use), and implement input validation on prompts to block common command injection payloads (though this is not a substitute for patching). Verify external CLI tools (ollama, ccr, gemini, etc.) are properly sandboxed, as command injection can invoke any system command available in the MiniClaw process's PATH.
OS command injection in 8421bit MiniClaw 0.8.0 and 0.9.0 allows local authenticated attackers to execute arbitrary syste
Path traversal in MiniClaw's executeSkillScript function allows authenticated remote attackers to access files outside t
Same weakness CWE-78 – OS Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-28466
GHSA-q253-8qxh-gx79