Skip to main content

JunoClaw EUVDEUVD-2026-29538

| CVE-2026-43989 HIGH
Improper Input Validation (CWE-20)
2026-05-12 GitHub_M
8.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.5 HIGH
AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:L

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:L
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
Low

Lifecycle Timeline

3
Source Code Evidence Fetched
May 12, 2026 - 17:16 vuln.today
Analysis Generated
May 12, 2026 - 17:16 vuln.today
CVE Published
May 12, 2026 - 16:21 nvd
HIGH 8.5

DescriptionGitHub Advisory

JunoClaw is an agentic AI platform built on Juno Network. Prior to 0.x.y-security-1, the upload_wasm MCP tool accepted a filesystem path from the agent and uploaded whatever bytes the path resolved to, with no validation of location, symlink target, file size, or file format. This vulnerability is fixed in 0.x.y-security-1.

AnalysisAI

Arbitrary file read in JunoClaw's MCP upload_wasm tool allows local attackers to exfiltrate any file accessible to the agent process by providing crafted filesystem paths. The vulnerability affects all JunoClaw versions prior to 0.x.y-security-1 when an AI agent is induced to accept a malicious path parameter, enabling read access to sensitive files including configuration secrets, private keys, or source code. No active exploitation confirmed via CISA KEV, but the CVSS 8.5 HIGH score reflects significant confidentiality and integrity impact with changed scope. Fixed version 0.x.y-security-1 introduces comprehensive path validation including directory containment checks, symlink resolution guards, file size limits, and WebAssembly magic number verification.

Technical ContextAI

JunoClaw is an agentic AI platform built on Juno Network that exposes an MCP (Model Context Protocol) tool interface allowing AI agents to upload WebAssembly modules. The vulnerability stems from CWE-20 (Improper Input Validation) in the upload_wasm tool's path handling logic. Prior to the security patch, the tool accepted arbitrary filesystem paths from the agent without validating: (1) directory containment within the designated WASM_ROOT, (2) symlink resolution targets, (3) file size constraints, or (4) WebAssembly format magic numbers. The commit diff shows the introduction of a comprehensive path-guard module with 238 lines of test coverage, implementing defenses against path traversal via relative paths (../) or absolute paths, symlink-based escapes from the wasm directory, oversized file uploads (>8MB cap inferred from test fixture creating 9MB file), and non-WASM file uploads via magic byte validation (0x00 0x61 0x73 0x6d WebAssembly header). The CPE identifier cpe:2.3:a:dragonmonk111:junoclaw:*:*:*:*:*:*:*:* indicates this is a software library/application vulnerability affecting the DragonMonk111 vendor's JunoClaw product across all unpatched versions.

RemediationAI

Upgrade immediately to JunoClaw version 0.x.y-security-1 or later, available at https://github.com/Dragonmonk111/junoclaw/releases/tag/v0.x.y-security-1. The patch commit a7886cd (https://github.com/Dragonmonk111/junoclaw/commit/a7886cd) introduces a comprehensive path-guard validation module that enforces: directory containment within WASM_ROOT via resolved absolute path comparison, symlink target validation to prevent escapes, 8MB file size limit to block exfiltration of large datasets, and WebAssembly magic number verification (0x00 0x61 0x73 0x6d header) to prevent upload of arbitrary file types. If immediate patching is not feasible, implement these compensating controls with noted trade-offs: (1) Disable the upload_wasm MCP tool entirely via configuration - eliminates attack surface but breaks legitimate WebAssembly module upload workflows. (2) Run JunoClaw agents in a chroot jail or container with read-only mounts for all directories except a dedicated wasm upload directory - limits blast radius but requires container orchestration expertise and may break integrations expecting filesystem access. (3) Implement mandatory access control (AppArmor/SELinux) policies restricting agent process reads to /var/lib/junoclaw/wasm and denying access to /etc, /root, /home - effective containment but operationally complex and platform-specific. (4) Deploy file integrity monitoring (FIM) on sensitive paths to detect unauthorized reads as a detection control - provides forensic visibility but does not prevent initial exfiltration. None of these workarounds match the security posture of the vendor patch, which addresses the root cause via input validation. Verify patch application by confirming the path-guard module exists in mcp/src/utils/path-guard.ts and version string matches v0.x.y-security-1 in package metadata.

Share

EUVD-2026-29538 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy