Skip to main content

JunoClaw EUVDEUVD-2026-29540

| CVE-2026-43991 HIGH
OS Command Injection (CWE-78)
2026-05-12 GitHub_M
8.4
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.4 HIGH
AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Source Code Evidence Fetched
May 12, 2026 - 17:16 vuln.today
Analysis Generated
May 12, 2026 - 17:16 vuln.today
CVE Published
May 12, 2026 - 16:19 nvd
HIGH 8.4

DescriptionGitHub Advisory

JunoClaw is an agentic AI platform built on Juno Network. Prior to 0.x.y-security-1, substring-based blocklist in plugin-shell's command-safety check could be bypassed by adversarial argument constructions, allowing unauthorized command execution on the host when combined with the companion advisory. Pre-patch, the check was applied to the raw command string rather than the parsed first token. This vulnerability is fixed in 0.x.y-security-1.

AnalysisAI

Command injection in JunoClaw's plugin-shell allowed adversarial argument construction to bypass the substring-based blocklist and achieve unauthorized command execution on the host when the unsafe-shell feature was enabled. Attackers could craft commands with special tokens or argument patterns to evade blocklist checks that scanned raw command strings instead of parsed first tokens. The vulnerability required local access but no authentication or user interaction (CVSS AV:L/AC:L/PR:N/UI:N) with high impact across confidentiality, integrity, and availability. No public exploit code or CISA KEV listing identified at time of analysis. Fixed in version 0.x.y-security-1 by replacing the blocklist with a strict allowlist on parsed command tokens and removing shell wrapper metacharacter expansion.

Technical ContextAI

JunoClaw is an agentic AI platform built on Juno Network. The vulnerable plugin-shell component provided shell and Python execution capabilities for AI agents. CWE-78 (OS Command Injection) resulted from applying a substring-based blocklist (BLOCKED_PATTERNS array checking for 'rm -rf /', 'shutdown', etc.) to raw command strings before execution. The commit diff shows the blocklist was removed entirely and replaced with a parsed-token allowlist. The fix introduced shell-words crate for proper command parsing (splitting on shell metacharacters), feature-gating via unsafe-shell Cargo feature (disabled by default), and a runtime sandbox_mode kill-switch. Pre-patch, commands passed through sh -c or cmd /C wrappers that expanded metacharacters, enabling classic injection bypasses via argument quoting, variable expansion, and command substitution. CPE cpe:2.3:a:dragonmonk111:junoclaw:*:*:*:*:*:*:*:* indicates all versions prior to the security release were affected.

RemediationAI

Upgrade to JunoClaw version 0.x.y-security-1 or later, confirmed patched in commit 2bc54f6 (https://github.com/Dragonmonk111/junoclaw/commit/2bc54f6). The fix replaces substring blocklist with strict allowlist on parsed first tokens, removes shell wrapper metacharacter expansion (sh -c / cmd /C), and disables unsafe-shell feature by default. For operators who explicitly need shell execution capabilities in AI agents, the new version requires three independent opt-ins: enable unsafe-shell Cargo feature at compile time, set sandbox_mode to false at runtime, and populate allowed_commands allowlist (defaults to empty - fail-closed). CRITICAL: The default allowed_commands list that previously included python, python3, echo, ls, dir, pwd, cat, type was removed - operators must explicitly configure permitted commands. If upgrade is not immediately feasible: (1) Disable unsafe-shell feature at compile time by removing it from Cargo.toml feature flags, which removes execution code paths from binary entirely. (2) If feature already compiled in, set sandbox_mode to true at runtime via configuration to refuse all execution requests (runtime kill-switch). (3) Review AI agent input sources for untrusted data that could influence shell commands. TRADE-OFF: Disabling shell capabilities may break agentic workflows that rely on Python script execution or system command tools - test in non-production first. If mitigations cannot be applied, restrict local access to JunoClaw hosts (e.g., network segmentation, least-privilege IAM) and monitor process execution logs for unexpected command patterns.

Share

EUVD-2026-29540 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy