Severity by source
AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionGitHub Advisory
JunoClaw is an agentic AI platform built on Juno Network. Prior to 0.x.y-security-1, substring-based blocklist in plugin-shell's command-safety check could be bypassed by adversarial argument constructions, allowing unauthorized command execution on the host when combined with the companion advisory. Pre-patch, the check was applied to the raw command string rather than the parsed first token. This vulnerability is fixed in 0.x.y-security-1.
AnalysisAI
Command injection in JunoClaw's plugin-shell allowed adversarial argument construction to bypass the substring-based blocklist and achieve unauthorized command execution on the host when the unsafe-shell feature was enabled. Attackers could craft commands with special tokens or argument patterns to evade blocklist checks that scanned raw command strings instead of parsed first tokens. The vulnerability required local access but no authentication or user interaction (CVSS AV:L/AC:L/PR:N/UI:N) with high impact across confidentiality, integrity, and availability. No public exploit code or CISA KEV listing identified at time of analysis. Fixed in version 0.x.y-security-1 by replacing the blocklist with a strict allowlist on parsed command tokens and removing shell wrapper metacharacter expansion.
Technical ContextAI
JunoClaw is an agentic AI platform built on Juno Network. The vulnerable plugin-shell component provided shell and Python execution capabilities for AI agents. CWE-78 (OS Command Injection) resulted from applying a substring-based blocklist (BLOCKED_PATTERNS array checking for 'rm -rf /', 'shutdown', etc.) to raw command strings before execution. The commit diff shows the blocklist was removed entirely and replaced with a parsed-token allowlist. The fix introduced shell-words crate for proper command parsing (splitting on shell metacharacters), feature-gating via unsafe-shell Cargo feature (disabled by default), and a runtime sandbox_mode kill-switch. Pre-patch, commands passed through sh -c or cmd /C wrappers that expanded metacharacters, enabling classic injection bypasses via argument quoting, variable expansion, and command substitution. CPE cpe:2.3:a:dragonmonk111:junoclaw:*:*:*:*:*:*:*:* indicates all versions prior to the security release were affected.
RemediationAI
Upgrade to JunoClaw version 0.x.y-security-1 or later, confirmed patched in commit 2bc54f6 (https://github.com/Dragonmonk111/junoclaw/commit/2bc54f6). The fix replaces substring blocklist with strict allowlist on parsed first tokens, removes shell wrapper metacharacter expansion (sh -c / cmd /C), and disables unsafe-shell feature by default. For operators who explicitly need shell execution capabilities in AI agents, the new version requires three independent opt-ins: enable unsafe-shell Cargo feature at compile time, set sandbox_mode to false at runtime, and populate allowed_commands allowlist (defaults to empty - fail-closed). CRITICAL: The default allowed_commands list that previously included python, python3, echo, ls, dir, pwd, cat, type was removed - operators must explicitly configure permitted commands. If upgrade is not immediately feasible: (1) Disable unsafe-shell feature at compile time by removing it from Cargo.toml feature flags, which removes execution code paths from binary entirely. (2) If feature already compiled in, set sandbox_mode to true at runtime via configuration to refuse all execution requests (runtime kill-switch). (3) Review AI agent input sources for untrusted data that could influence shell commands. TRADE-OFF: Disabling shell capabilities may break agentic workflows that rely on Python script execution or system command tools - test in non-production first. If mitigations cannot be applied, restrict local access to JunoClaw hosts (e.g., network segmentation, least-privilege IAM) and monitor process execution logs for unexpected command patterns.
JunoClaw agentic AI platform exposes BIP-39 wallet mnemonics in plaintext through LLM tool-call parameters, leaking cryp
Arbitrary file read in JunoClaw's MCP upload_wasm tool allows local attackers to exfiltrate any file accessible to the a
Command injection in JunoClaw agentic AI platform versions prior to 0.x.y-security-1 allows local attackers to execute a
Server-Side Request Forgery in JunoClaw's WAVS bridge allows remote attackers to exploit the computeDataVerify function,
Same weakness CWE-78 – OS Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-29540