Skip to main content

Nanoclaw

5 CVEs product

Monthly

CVE-2026-56694 MEDIUM PATCH This Month

Privilege escalation in NanoClaw before 2.1.0 lets scoped admins cross agent-group authorization boundaries by submitting forged or stale connect callback values during the channel-registration approval flow. The `handleChannelApprovalResponse` function accepted any `connect:ag-X` callback value without verifying that the approver held admin privileges over the target agent group, allowing a scoped admin to wire messaging channels into groups they do not govern. No active exploitation has been confirmed (not listed in CISA KEV), and an upstream fix is available in commit 0eef8fafdd7c475ab5fd8d37ea566a81e74cd834 (PR #2566).

Authentication Bypass Privilege Escalation Nanoclaw
NVD GitHub
CVSS 4.0
5.3
EPSS
0.2%
CVE-2026-56693 MEDIUM PATCH This Month

Privilege escalation in NanoClaw before 2.1.17 allows confined agent containers to bypass their architectural confinement boundary by invoking the `create_agent` delivery-action handler without host-side authorization. The handler performed privileged central-database writes - creating agent groups, container configurations, and destinations - gated only by a container-side MCP tool check that, being inside the untrusted container, is trivially bypassed by writing outbound system rows directly. No public exploit identified at time of analysis; a vendor patch is available and the fix is documented in a public GitHub commit.

Privilege Escalation Nanoclaw
NVD GitHub
CVSS 4.0
6.8
EPSS
0.1%
CVE-2026-56692 MEDIUM PATCH This Month

Symlink following in NanoClaw's agent-to-agent file forwarding exposes arbitrary host-readable files to container-controlled agents. All releases before 2.1.17 are affected; the `forwardAttachedFiles` function validated attachment filenames with `isSafeAttachmentName` but called `fs.copyFileSync` without first resolving symlinks or confirming the resolved path remained inside the agent's outbox directory. A low-privileged agent can craft a symlink with a safe-looking filename, point it at any host file readable by the NanoClaw process, and receive its contents forwarded as a message attachment. No public exploit is identified at time of analysis, though the VulnCheck advisory and GitHub PR diff provide sufficient detail for a technically capable attacker to reproduce exploitation.

Information Disclosure Nanoclaw
NVD GitHub
CVSS 4.0
6.8
EPSS
0.1%
CVE-2026-56402 HIGH PATCH This Week

Privilege escalation in NanoClaw before 2.1.17 lets remote attackers with a valid questionId approve or reject privileged actions (such as package installation) by submitting crafted approval response payloads. The handleApprovalsResponse function dispatches sensitive handlers without verifying the responder holds an owner/admin role, turning approval callbacks into an authorization bypass. Publicly available exploit code exists via the upstream patch diff, but no active exploitation is currently confirmed.

Authentication Bypass Privilege Escalation Nanoclaw
NVD GitHub
CVSS 4.0
7.1
EPSS
0.2%
CVE-2026-7875 CRITICAL PATCH Act Now

Path traversal in NanoClaw's container filesystem boundary allows compromised containers or prompt-injected agents to escape isolation and read arbitrary host files via crafted message IDs and attachment paths, with potential for recursive deletion of host directories during outbox cleanup. The vulnerability exploits insufficient validation of outbound attachment filenames and symlink resolution in the host-side message handling code. Upstream fix available (GitHub commit 7814e45) but released patched version not independently confirmed. No public exploit identified at time of analysis, though proof-of-concept test cases demonstrate both file exfiltration and destructive cleanup paths.

Path Traversal Nanoclaw
NVD GitHub VulDB
CVSS 4.0
9.3
EPSS
0.0%
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Privilege escalation in NanoClaw before 2.1.0 lets scoped admins cross agent-group authorization boundaries by submitting forged or stale connect callback values during the channel-registration approval flow. The `handleChannelApprovalResponse` function accepted any `connect:ag-X` callback value without verifying that the approver held admin privileges over the target agent group, allowing a scoped admin to wire messaging channels into groups they do not govern. No active exploitation has been confirmed (not listed in CISA KEV), and an upstream fix is available in commit 0eef8fafdd7c475ab5fd8d37ea566a81e74cd834 (PR #2566).

Authentication Bypass Privilege Escalation Nanoclaw
NVD GitHub
EPSS 0% CVSS 6.8
MEDIUM PATCH This Month

Privilege escalation in NanoClaw before 2.1.17 allows confined agent containers to bypass their architectural confinement boundary by invoking the `create_agent` delivery-action handler without host-side authorization. The handler performed privileged central-database writes - creating agent groups, container configurations, and destinations - gated only by a container-side MCP tool check that, being inside the untrusted container, is trivially bypassed by writing outbound system rows directly. No public exploit identified at time of analysis; a vendor patch is available and the fix is documented in a public GitHub commit.

Privilege Escalation Nanoclaw
NVD GitHub
EPSS 0% CVSS 6.8
MEDIUM PATCH This Month

Symlink following in NanoClaw's agent-to-agent file forwarding exposes arbitrary host-readable files to container-controlled agents. All releases before 2.1.17 are affected; the `forwardAttachedFiles` function validated attachment filenames with `isSafeAttachmentName` but called `fs.copyFileSync` without first resolving symlinks or confirming the resolved path remained inside the agent's outbox directory. A low-privileged agent can craft a symlink with a safe-looking filename, point it at any host file readable by the NanoClaw process, and receive its contents forwarded as a message attachment. No public exploit is identified at time of analysis, though the VulnCheck advisory and GitHub PR diff provide sufficient detail for a technically capable attacker to reproduce exploitation.

Information Disclosure Nanoclaw
NVD GitHub
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Privilege escalation in NanoClaw before 2.1.17 lets remote attackers with a valid questionId approve or reject privileged actions (such as package installation) by submitting crafted approval response payloads. The handleApprovalsResponse function dispatches sensitive handlers without verifying the responder holds an owner/admin role, turning approval callbacks into an authorization bypass. Publicly available exploit code exists via the upstream patch diff, but no active exploitation is currently confirmed.

Authentication Bypass Privilege Escalation Nanoclaw
NVD GitHub
EPSS 0% CVSS 9.3
CRITICAL PATCH Act Now

Path traversal in NanoClaw's container filesystem boundary allows compromised containers or prompt-injected agents to escape isolation and read arbitrary host files via crafted message IDs and attachment paths, with potential for recursive deletion of host directories during outbox cleanup. The vulnerability exploits insufficient validation of outbound attachment filenames and symlink resolution in the host-side message handling code. Upstream fix available (GitHub commit 7814e45) but released patched version not independently confirmed. No public exploit identified at time of analysis, though proof-of-concept test cases demonstrate both file exfiltration and destructive cleanup paths.

Path Traversal Nanoclaw
NVD GitHub VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy