Skip to main content

Sipeed PicoClaw EUVDEUVD-2026-42776

| CVE-2026-15320 LOW
Missing Authorization (CWE-862)
2026-07-10 VulDB GHSA-9c82-3f2r-v942
2.1
CVSS 4.0 · Vendor: VulDB

Severity by source

Vendor (VulDB) PRIMARY
2.1 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
5.4 MEDIUM

Network-reachable with low complexity; PR:L required per CVSS 4.0 input; no confidentiality impact; scope unchanged with low integrity and availability impact only.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (VulDB).

CVSS VectorVendor: VulDB

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

4
Severity Changed
Jul 10, 2026 - 03:22 NVD
MEDIUM LOW
CVSS changed
Jul 10, 2026 - 03:22 NVD
5.3 (MEDIUM) 2.1 (LOW)
Analysis Generated
Jul 10, 2026 - 02:45 vuln.today
CVE Published
Jul 10, 2026 - 02:00 cve.org
MEDIUM 5.3

DescriptionCVE.org

A vulnerability was detected in Sipeed PicoClaw up to 0.2.9. This vulnerability affects the function rt.ReloadConfig of the file pkg/channels/pico/pico.go. Performing a manipulation of the argument message.send results in missing authorization. It is possible to initiate the attack remotely. The exploit is now public and may be used. The reported GitHub issue was closed automatically due to inactivity.

AnalysisAI

Missing authorization in Sipeed PicoClaw up to version 0.2.9 permits remote low-privileged attackers to invoke the rt.ReloadConfig function in pkg/channels/pico/pico.go by manipulating the message.send argument without proper authorization checks. The integrity and availability of the affected system are both at limited risk, as the CVSS 4.0 vector confirms no confidentiality exposure but allows unauthorized configuration reload or disruption. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain low-privilege credentials or session
Delivery
Send crafted message.send argument over network
Exploit
Invoke rt.ReloadConfig without authorization check
Execution
Force unauthorized configuration reload
Impact
Degrade service integrity or availability

Vulnerability AssessmentAI

Exploitation Exploitation requires the attacker to hold low-privilege authenticated access to the Sipeed PicoClaw service (PR:L per CVSS 4.0 vector) - unauthenticated exploitation is not indicated by the available data. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:P) characterizes a network-reachable, low-complexity flaw requiring low privileges with no user interaction. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A remote attacker with low-privilege access to the Sipeed PicoClaw service crafts a message containing a manipulated message.send argument targeting the rt.ReloadConfig function endpoint; because no authorization check is enforced, the server processes the request and reloads its configuration, potentially disrupting service availability or altering operational behavior. A public proof-of-concept is available at https://github.com/sipeed/picoclaw/issues/3071, lowering the skill threshold required to reproduce the attack.
Remediation No vendor-released patch has been identified at the time of analysis. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-42776 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy