EUVD-2026-33743
GHSA-q6qc-xp4q-rjq5
Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
A weakness has been identified in Enderfga claw-orchestrator up to 3.5.5. This affects the function EmbeddedServer of the file src/embedded-server.ts of the component API Endpoint. This manipulation causes missing authentication. The attack may be initiated remotely. The exploit has been made available to the public and could be used for attacks. Upgrading to version 3.5.6 mitigates this issue. Patch name: d0b02a800aa0689d9428cc4cc170e0b6589fb2c3. The affected component should be upgraded.
AnalysisAI
Missing authentication in Enderfga claw-orchestrator's embedded HTTP server (src/embedded-server.ts, EmbeddedServer class) exposes all API endpoints to unauthenticated network access in versions 3.5.5 and earlier, because the OPENCLAW_SERVER_TOKEN authentication mechanism was opt-in rather than enforced by default. Any attacker with network access to the server port can interact with the orchestration management API without credentials. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires two conditions: (1) the claw-orchestrator embedded HTTP server port must be network-accessible beyond localhost - instances bound only to loopback are not remotely exploitable; and (2) the OPENCLAW_SERVER_TOKEN environment variable must be unset, which was the factory default in versions 3.5.5 and earlier. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 base score of 5.5 (Medium) reflects a network-accessible, zero-prerequisite attack path (AV:N/AC:L/AT:N/PR:N/UI:N) but limited impact scope - low confidentiality, integrity, and availability impact on the vulnerable system only, with no subsequent system impact (SC:N/SI:N/SA:N). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker scans for or identifies a claw-orchestrator instance with its embedded HTTP server port reachable over the network running version 3.5.5 or earlier without OPENCLAW_SERVER_TOKEN configured. Using the publicly referenced exploit technique from GitHub issue #61, the attacker sends unauthenticated HTTP requests directly to management API endpoints, enumerating orchestration job state or issuing control commands. … |
| Remediation | The primary fix is upgrading to claw-orchestrator v3.5.6, available at https://github.com/Enderfga/claw-orchestrator/releases/tag/v3.5.6 (patch commit d0b02a800aa0689d9428cc4cc170e0b6589fb2c3). … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Share
External POC / Exploit Code
Leaving vuln.today