Skip to main content

poco-claw EUVDEUVD-2026-45171

| CVE-2026-16015 LOW
Missing Authentication for Critical Function (CWE-306)
2026-07-17 VulDB GHSA-28fj-c9jc-xpp3
2.1
CVSS 4.0 · Vendor: VulDB

Severity by source

Vendor (VulDB) PRIMARY
2.1 MEDIUM
CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
6.3 MEDIUM

Adjacent-network vector aligns with CVSS 4.0 AV:A; no authentication or interaction required; low CIA impact scoped to the executor manager service only, no scope change.

3.1 AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
4.0 AV:A/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (VulDB).

CVSS VectorVendor: VulDB

CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

5
Severity Changed
Jul 17, 2026 - 14:22 NVD
MEDIUM LOW
CVSS changed
Jul 17, 2026 - 14:22 NVD
5.3 (MEDIUM) 2.1 (LOW)
Source Code Evidence Fetched
Jul 17, 2026 - 13:46 vuln.today
Analysis Generated
Jul 17, 2026 - 13:46 vuln.today
CVE Published
Jul 17, 2026 - 13:15 cve.org
MEDIUM 5.3

DescriptionCVE.org

A vulnerability was determined in poco-ai poco-claw up to 0.5.4. This vulnerability affects the function create_task of the file executor_manager/app/api/v1/tasks.py of the component executor_manager API. Executing a manipulation can lead to missing authentication. The exploit has been publicly disclosed and may be utilized. Upgrading to version 0.5.7 is able to resolve this issue. This patch is called 67fcc88505c57f77d3fcf04eb5b89425b10cbf48. It is recommended to upgrade the affected component.

AnalysisAI

Missing authentication on the executor_manager control-plane API in poco-ai/poco-claw through version 0.5.4 allows adjacent-network attackers to invoke the create_task endpoint without any credentials, enabling unauthorized task submission to the AI agent execution engine. The CVSS 4.0 vector (AV:A) confirms exploitation requires adjacency to the internal network segment hosting the executor manager service - it is not directly internet-exploitable. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Gain adjacent network access to EM subnet
Delivery
Discover executor_manager API port and endpoint
Exploit
Send unauthenticated POST to /api/v1/tasks create_task
Execution
Executor manager accepts and queues task without credential check
Impact
Arbitrary AI workload executes under platform identity

Vulnerability AssessmentAI

Exploitation Exploitation requires adjacent-network access (CVSS 4.0 AV:A) - the attacker must be able to route HTTP traffic to the executor_manager service's API port from within the same network segment or subnet. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 score of 5.3 with vector AV:A/AC:L/AT:N/PR:N/UI:N reflects a genuinely low-complexity but adjacency-constrained attack, with modest CIA impact (VC:L/VI:L/VA:L) and no impact on subsequent systems (SC:N/SI:N/SA:N). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with access to the internal network segment hosting the poco-claw deployment - for example, via a compromised container, VM, or lateral movement from another internal host - sends an unauthenticated HTTP POST to the executor_manager's `/api/v1/tasks` endpoint's `create_task` handler. With no token validation in place on unpatched versions, the request is accepted and processed, allowing the attacker to queue arbitrary task definitions to the AI execution engine. …
Remediation Upgrade poco-claw to version 0.5.7, which contains fix commit 67fcc88505c57f77d3fcf04eb5b89425b10cbf48 (https://github.com/poco-ai/poco-claw/commit/67fcc88505c57f77d3fcf04eb5b89425b10cbf48) and is available at https://github.com/poco-ai/poco-claw/releases/tag/0.5.7. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-45171 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy