Description
A weakness has been identified in Enderfga claw-orchestrator up to 3.5.5. This affects the function EmbeddedServer of the file src/embedded-server.ts of the component API Endpoint. This manipulation causes missing authentication. The attack may be initiated remotely. The exploit has been made available to the public and could be used for attacks. Upgrading to version 3.5.6 mitigates this issue. Patch name: d0b02a800aa0689d9428cc4cc170e0b6589fb2c3. The affected component should be upgraded.
Published: 2026-06-01
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability in Enderfga claw‑orchestrator’s EmbeddedServer component allows a remote attacker to contact the API endpoint without any authentication, due to a missing check in the embedded‑server.ts file. Because the flaw exists in all releases up to 3.5.5, a publicly available exploit can be used to perform unauthorized actions against the orchestrator platform.

Affected Systems

The flaw affects Enderfga claw‑orchestrator for all releases up to and including 3.5.5. The official fix is supplied in version 3.5.6, which can be downloaded from the project’s release tag v3.5.6 or applied via the referenced patch commit d0b02a800aa0689d9428cc4cc170e0b6589fb2c3.

Risk and Exploitability

With a CVSS score of 6.9 the vulnerability is moderate‑high severity. No EPSS score is published, but the exploit has already been released to the public, indicating that attackers may attempt to leverage the weakness. Although the vulnerability is not listed in the CISA KEV catalog, it remains risky because it permits remote, unauthenticated access and could serve as a foothold for further compromise. The attack vector is clearly remote, meaning exposed instances are vulnerable without network isolation.

Generated by OpenCVE AI on June 1, 2026 at 20:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Enderfga claw‑orchestrator to version 3.5.6 or later to eliminate the missing authentication flaw.
  • During the upgrade, block external traffic to the embedded‑server API endpoint with a firewall rule or network segmentation so that only trusted systems can reach the service.
  • If an immediate upgrade is not possible, implement a temporary authentication layer (e.g., basic authentication or token validation) on the API endpoint to enforce access control until the vendor’s patch is applied.

Generated by OpenCVE AI on June 1, 2026 at 20:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 01 Jun 2026 22:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 01 Jun 2026 19:00:00 +0000

Type Values Removed Values Added
Description A weakness has been identified in Enderfga claw-orchestrator up to 3.5.5. This affects the function EmbeddedServer of the file src/embedded-server.ts of the component API Endpoint. This manipulation causes missing authentication. The attack may be initiated remotely. The exploit has been made available to the public and could be used for attacks. Upgrading to version 3.5.6 mitigates this issue. Patch name: d0b02a800aa0689d9428cc4cc170e0b6589fb2c3. The affected component should be upgraded.
Title Enderfga claw-orchestrator API Endpoint embedded-server.ts EmbeddedServer missing authentication
First Time appeared Enderfga
Enderfga claw-orchestrator
Weaknesses CWE-287
CWE-306
CPEs cpe:2.3:a:enderfga:claw-orchestrator:*:*:*:*:*:*:*:*
Vendors & Products Enderfga
Enderfga claw-orchestrator
References
Metrics cvssV2_0

{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:OF/RC:C'}

cvssV3_0

{'score': 7.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C'}

cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Enderfga Claw-orchestrator
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-06-01T21:19:41.045Z

Reserved: 2026-05-31T16:18:35.986Z

Link: CVE-2026-10281

cve-icon Vulnrichment

Updated: 2026-06-01T21:19:30.138Z

cve-icon NVD

Status : Deferred

Published: 2026-06-01T19:16:21.187

Modified: 2026-06-02T13:03:31.153

Link: CVE-2026-10281

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-01T22:30:02Z

Weaknesses