Skip to main content

Junoclaw

5 CVEs product

Monthly

CVE-2026-43993 HIGH This Week

Server-Side Request Forgery in JunoClaw's WAVS bridge allows remote attackers to exploit the computeDataVerify function, which fetched agent-supplied URLs without validating scheme, port, or resolved IP addresses. Attackers can trick the bridge into accessing internal cloud metadata services (AWS, GCP), RFC 1918 private networks, databases, and admin APIs running on non-standard ports. Exploitation requires user interaction (UI:R) but no authentication (PR:N), with cross-scope impact (S:C) allowing high confidentiality breach and low availability impact. Fixed in version 0.x.y-security-1 via commit a168608, which implements a comprehensive SSRF guard with scheme/port allowlists, DNS private-IP blocking for both IPv4 and IPv6 ranges, request timeouts, and body size caps. No CISA KEV listing or public exploit code identified at time of analysis.

SSRF Junoclaw
NVD GitHub
CVSS 3.1
8.2
EPSS
0.0%
CVE-2026-43992 CRITICAL Act Now

JunoClaw agentic AI platform exposes BIP-39 wallet mnemonics in plaintext through LLM tool-call parameters, leaking cryptocurrency private keys to logs, telemetry, and transport channels between AI providers and blockchain execution. Every blockchain write operation (token transfers, smart contract deployment, IBC transactions) required the 12- or 24-word seed phrase as a JSON parameter visible to the language model, API logs, and any middleware. Version 0.x.y-security-1 eliminates mnemonic exposure by introducing a wallet registry with AES-256-GCM encrypted storage and opaque wallet_id references. EPSS data not available for this recent CVE; no public exploit identified at time of analysis.

Information Disclosure Junoclaw
NVD GitHub
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-43990 HIGH This Week

Command injection in JunoClaw agentic AI platform versions prior to 0.x.y-security-1 allows local attackers to execute arbitrary shell commands with high integrity and confidentiality impact. The plugin-shell component wrapped agent-supplied commands in 'sh -c' or 'cmd /C' without sanitizing shell metacharacters, enabling malicious AI agents or compromised agent inputs to break out of intended command boundaries. CISA KEV status: not listed. Public exploit code: GitHub commit 2bc54f6 demonstrates the vulnerable code path and fix implementation. EPSS data: not available. The vendor-released patch (0.x.y-security-1) removes the shell wrapper entirely and implements a strict allowlist plus compile-time feature gate.

Command Injection Junoclaw
NVD GitHub
CVSS 3.1
8.4
EPSS
0.0%
CVE-2026-43989 HIGH This Week

Arbitrary file read in JunoClaw's MCP upload_wasm tool allows local attackers to exfiltrate any file accessible to the agent process by providing crafted filesystem paths. The vulnerability affects all JunoClaw versions prior to 0.x.y-security-1 when an AI agent is induced to accept a malicious path parameter, enabling read access to sensitive files including configuration secrets, private keys, or source code. No active exploitation confirmed via CISA KEV, but the CVSS 8.5 HIGH score reflects significant confidentiality and integrity impact with changed scope. Fixed version 0.x.y-security-1 introduces comprehensive path validation including directory containment checks, symlink resolution guards, file size limits, and WebAssembly magic number verification.

Information Disclosure Junoclaw
NVD GitHub
CVSS 3.1
8.5
EPSS
0.0%
CVE-2026-43991 HIGH This Week

Command injection in JunoClaw's plugin-shell allowed adversarial argument construction to bypass the substring-based blocklist and achieve unauthorized command execution on the host when the unsafe-shell feature was enabled. Attackers could craft commands with special tokens or argument patterns to evade blocklist checks that scanned raw command strings instead of parsed first tokens. The vulnerability required local access but no authentication or user interaction (CVSS AV:L/AC:L/PR:N/UI:N) with high impact across confidentiality, integrity, and availability. No public exploit code or CISA KEV listing identified at time of analysis. Fixed in version 0.x.y-security-1 by replacing the blocklist with a strict allowlist on parsed command tokens and removing shell wrapper metacharacter expansion.

Command Injection Junoclaw
NVD GitHub
CVSS 3.1
8.4
EPSS
0.0%
EPSS 0% CVSS 8.2
HIGH This Week

Server-Side Request Forgery in JunoClaw's WAVS bridge allows remote attackers to exploit the computeDataVerify function, which fetched agent-supplied URLs without validating scheme, port, or resolved IP addresses. Attackers can trick the bridge into accessing internal cloud metadata services (AWS, GCP), RFC 1918 private networks, databases, and admin APIs running on non-standard ports. Exploitation requires user interaction (UI:R) but no authentication (PR:N), with cross-scope impact (S:C) allowing high confidentiality breach and low availability impact. Fixed in version 0.x.y-security-1 via commit a168608, which implements a comprehensive SSRF guard with scheme/port allowlists, DNS private-IP blocking for both IPv4 and IPv6 ranges, request timeouts, and body size caps. No CISA KEV listing or public exploit code identified at time of analysis.

SSRF Junoclaw
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL Act Now

JunoClaw agentic AI platform exposes BIP-39 wallet mnemonics in plaintext through LLM tool-call parameters, leaking cryptocurrency private keys to logs, telemetry, and transport channels between AI providers and blockchain execution. Every blockchain write operation (token transfers, smart contract deployment, IBC transactions) required the 12- or 24-word seed phrase as a JSON parameter visible to the language model, API logs, and any middleware. Version 0.x.y-security-1 eliminates mnemonic exposure by introducing a wallet registry with AES-256-GCM encrypted storage and opaque wallet_id references. EPSS data not available for this recent CVE; no public exploit identified at time of analysis.

Information Disclosure Junoclaw
NVD GitHub
EPSS 0% CVSS 8.4
HIGH This Week

Command injection in JunoClaw agentic AI platform versions prior to 0.x.y-security-1 allows local attackers to execute arbitrary shell commands with high integrity and confidentiality impact. The plugin-shell component wrapped agent-supplied commands in 'sh -c' or 'cmd /C' without sanitizing shell metacharacters, enabling malicious AI agents or compromised agent inputs to break out of intended command boundaries. CISA KEV status: not listed. Public exploit code: GitHub commit 2bc54f6 demonstrates the vulnerable code path and fix implementation. EPSS data: not available. The vendor-released patch (0.x.y-security-1) removes the shell wrapper entirely and implements a strict allowlist plus compile-time feature gate.

Command Injection Junoclaw
NVD GitHub
EPSS 0% CVSS 8.5
HIGH This Week

Arbitrary file read in JunoClaw's MCP upload_wasm tool allows local attackers to exfiltrate any file accessible to the agent process by providing crafted filesystem paths. The vulnerability affects all JunoClaw versions prior to 0.x.y-security-1 when an AI agent is induced to accept a malicious path parameter, enabling read access to sensitive files including configuration secrets, private keys, or source code. No active exploitation confirmed via CISA KEV, but the CVSS 8.5 HIGH score reflects significant confidentiality and integrity impact with changed scope. Fixed version 0.x.y-security-1 introduces comprehensive path validation including directory containment checks, symlink resolution guards, file size limits, and WebAssembly magic number verification.

Information Disclosure Junoclaw
NVD GitHub
EPSS 0% CVSS 8.4
HIGH This Week

Command injection in JunoClaw's plugin-shell allowed adversarial argument construction to bypass the substring-based blocklist and achieve unauthorized command execution on the host when the unsafe-shell feature was enabled. Attackers could craft commands with special tokens or argument patterns to evade blocklist checks that scanned raw command strings instead of parsed first tokens. The vulnerability required local access but no authentication or user interaction (CVSS AV:L/AC:L/PR:N/UI:N) with high impact across confidentiality, integrity, and availability. No public exploit code or CISA KEV listing identified at time of analysis. Fixed in version 0.x.y-security-1 by replacing the blocklist with a strict allowlist on parsed command tokens and removing shell wrapper metacharacter expansion.

Command Injection Junoclaw
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy