Skip to main content

8421bit MiniClaw EUVDEUVD-2026-28467

| CVE-2026-8113 LOW
Path Traversal (CWE-22)
2026-05-07 VulDB GHSA-h86r-7gjv-6c7v
2.1
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
2.1 LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

5
Severity Changed
May 07, 2026 - 22:22 NVD
MEDIUM LOW
CVSS changed
May 07, 2026 - 22:22 NVD
4.3 (MEDIUM) 2.1 (LOW)
Source Code Evidence Fetched
May 07, 2026 - 22:04 vuln.today
Analysis Generated
May 07, 2026 - 22:04 vuln.today
CVE Published
May 07, 2026 - 21:15 nvd
MEDIUM 4.3

DescriptionCVE.org

A vulnerability was determined in 8421bit MiniClaw up to 43905b934cf76489ab28e4d17da28ee97970f91f. Affected by this vulnerability is the function isPathInside of the file src/kernel.ts of the component executeSkillScript. Executing a manipulation can lead to path traversal. It is possible to launch the attack remotely. The exploit has been publicly disclosed and may be utilized. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available. This patch is called e8bd4e17e9428260f2161378356affc5ce90d6ed. It is advisable to implement a patch to correct this issue.

AnalysisAI

Path traversal in MiniClaw's executeSkillScript function allows authenticated remote attackers to access files outside the intended skills directory via directory traversal sequences in the skillName or scriptFile parameters. The vulnerability affects the isPathInside function in src/kernel.ts, enabling disclosure of sensitive files with CVSS 4.3 (low confidentiality impact). Publicly available exploit code exists and a vendor patch is available via commit e8bd4e17e9428260f2161378356affc5ce90d6ed.

Technical ContextAI

MiniClaw is a rolling-release Node.js application that manages skill execution through a kernel module. The vulnerability exists in path resolution logic used by the executeSkillScript handler. The flawed isPathInside function in src/kernel.ts failed to properly validate that resolved file paths remained within the designated SKILLS_DIR boundary. Attackers could exploit this by passing crafted skillName or scriptFile parameters containing directory traversal sequences (e.g., '../../../etc/passwd') to path.join(), which does not canonicalize or validate against escape attempts. The CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) root cause is resolved by the patch through explicit path canonicalization using path.resolve() combined with relative path validation and realpath() checks to detect symlink-based escapes.

RemediationAI

Update MiniClaw to the patched version by pulling commit e8bd4e17e9428260f2161378356affc5ce90d6ed or later from https://github.com/8421bit/MiniClaw (PR#8 contains the complete fix). The patch replaces unsafe path.join() calls with a new resolveSkillDirPath() function that validates paths using path.resolve(), path.relative(), and fs.realpath() to prevent directory traversal. Rebuild and restart the application after updating. If immediate patching is not feasible, implement network-level access controls to restrict skill execution endpoints to trusted authenticated users only, and disable the executeSkillScript handler if not required for operations. Monitor skill execution logs for suspicious patterns (requests with '../' sequences or absolute paths). Note that the vulnerability requires authentication (PR:L in CVSS), so disabling public access or enforcing strict authentication policies provides meaningful defense-in-depth while patch deployment is staged.

Share

EUVD-2026-28467 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy