Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-exploitable SSRF requiring low-privilege authentication; limited impact scoped to vulnerable system with no lateral scope change.
Primary rating from Vendor (VulDB).
CVSS VectorVendor: VulDB
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
A security vulnerability has been detected in mosaxiv clawlet up to 0.2.10. This affects the function tools.webFetch of the file tools/tool_web_fetch.go. Such manipulation leads to server-side request forgery. The attack can be launched remotely. The exploit has been disclosed publicly and may be used. The reported GitHub issue was closed with the label "not planned".
AnalysisAI
Server-side request forgery in mosaxiv clawlet up to version 0.2.10 enables authenticated remote attackers to manipulate the webFetch tool function to issue arbitrary HTTP requests from the server, potentially reaching internal services, cloud metadata endpoints, or other network resources not directly accessible to the attacker. A publicly available proof-of-concept exploit was disclosed via GitHub issue #14, making real-world exploitation more accessible. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the attacker to hold a valid low-privilege account on the clawlet instance (confirmed by CVSS 4.0 PR:L). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 score of 5.3 (Medium) reflects a network-exploitable flaw requiring low-privilege authentication, with limited confidentiality, integrity, and availability impact confined to the vulnerable system (VC:L/VI:L/VA:L, SC:N/SI:N/SA:N). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An authenticated low-privilege user of clawlet submits a crafted URL targeting an internal network resource - such as http://169.254.169.254/latest/meta-data/ in a cloud environment - to the webFetch tool endpoint. The server issues the request on the attacker's behalf and returns the response, exposing AWS instance metadata including IAM role credentials. … |
| Remediation | No vendor-released patch is available and none is planned, as the upstream maintainer closed the GitHub issue (#14) as 'not planned.' Organizations using clawlet should consider migrating away from the tool or implementing compensating controls at the network and application layers. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-918 – Server-Side Request Forgery (SSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-43582
GHSA-q2gc-2p96-wxg9