Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
PR:L for required scoped admin role; S:C because the exploit crosses agent group authorization boundaries, impacting components the attacker does not control; no availability impact.
Primary rating from Vendor (VulnCheck).
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
NanoClaw before 2.1.0 contains a privilege escalation vulnerability in the channel-registration approval flow where handleChannelApprovalResponse fails to validate admin privileges over target agent groups. Scoped admins can submit forged or stale connect callback values to wire messaging channels into out-of-scope agent groups, exposing unauthorized groups to unapproved channels and enabling unauthorized observation or control of restricted agent group activity.
AnalysisAI
Privilege escalation in NanoClaw before 2.1.0 lets scoped admins cross agent-group authorization boundaries by submitting forged or stale connect callback values during the channel-registration approval flow. The handleChannelApprovalResponse function accepted any connect:ag-X callback value without verifying that the approver held admin privileges over the target agent group, allowing a scoped admin to wire messaging channels into groups they do not govern. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an authenticated account holding the 'admin' role scoped to at least one agent group in a NanoClaw deployment running a version prior to 2.1.0 (CVSS PR:L confirmed). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N) characterizes this as a network-reachable, low-complexity flaw requiring low privilege - consistent with the scoped admin role requirement. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A scoped admin with legitimate admin rights over agent group `ag-1` participates in the channel-registration approval flow for an unknown incoming messaging channel. Rather than selecting `connect:ag-1` from the presented options, the attacker manually submits the callback value `connect:ag-2` (or any other out-of-scope agent group ID). … |
| Remediation | Upgrade NanoClaw to version 2.1.0 or later, which includes the authorization guard added in commit 0eef8fafdd7c475ab5fd8d37ea566a81e74cd834 (https://github.com/nanocoai/nanoclaw/commit/0eef8fafdd7c475ab5fd8d37ea566a81e74cd834). … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Path traversal in NanoClaw's container filesystem boundary allows compromised containers or prompt-injected agents to es
Privilege escalation in NanoClaw before 2.1.17 lets remote attackers with a valid questionId approve or reject privilege
Symlink following in NanoClaw's agent-to-agent file forwarding exposes arbitrary host-readable files to container-contro
Privilege escalation in NanoClaw before 2.1.17 allows confined agent containers to bypass their architectural confinemen
Same weakness CWE-863 – Incorrect Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38466
GHSA-p56g-x65g-wr86