Skip to main content

Poco Claw

1 CVEs product

Monthly

CVE-2026-15622 MEDIUM POC PATCH This Month

Unauthenticated authorization bypass in poco-ai/poco-claw's Workspace API allows remote attackers to access arbitrary users' workspace files by manipulating the user_id parameter in the get_workspace_file function. All versions through 0.5.4 are affected, with the executor manager's control-plane routes completely lacking token-based authentication before the fix. Publicly available exploit code exists (POC confirmed via GitHub issue #133 and PR #135); no CISA KEV listing at time of analysis.

Authentication Bypass Poco Claw
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.4%
EPSS 0% CVSS 5.5
MEDIUM POC PATCH This Month

Unauthenticated authorization bypass in poco-ai/poco-claw's Workspace API allows remote attackers to access arbitrary users' workspace files by manipulating the user_id parameter in the get_workspace_file function. All versions through 0.5.4 are affected, with the executor manager's control-plane routes completely lacking token-based authentication before the fix. Publicly available exploit code exists (POC confirmed via GitHub issue #133 and PR #135); no CISA KEV listing at time of analysis.

Authentication Bypass Poco Claw
NVD VulDB GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy