Description
A security vulnerability has been detected in Enderfga claw-orchestrator up to 3.7.0. The impacted element is the function validateRegex of the file claw-orchestrator/src/embedded-server.ts of the component Session Grep Endpoint. The manipulation of the argument body.pattern leads to inefficient regular expression complexity. The attack may be initiated remotely. Upgrading to version 3.7.1 is sufficient to resolve this issue. The identifier of the patch is 3f970a974c65a94555c25af9f2796f11315e4584. It is recommended to upgrade the affected component.
Published: 2026-06-01
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability exists in the validateRegex function of the Session Grep Endpoint in Enderfga claw-orchestrator. By supplying crafted input to the body.pattern argument, an attacker can cause the server to perform an inefficient regular expression evaluation, leading to excessive CPU usage and potential denial of service. The weakness is classified as CWE‑1333 and CWE‑400, indicating a denial of service flaw and a resource exhaustion vulnerability. The impact is that a malicious request can slow or crash the service, compromising availability for legitimate users.

Affected Systems

Enderfga claw-orchestrator software versions up to and including 3.7.0 are affected. The problematic code resides in claw-orchestrator/src/embedded-server.ts within the Session Grep Endpoint component. Version 3.7.1 contains the patch identified by commit 3f970a974c65a94555c25af9f2796f11315e4584, which resolves the issue.

Risk and Exploitability

The CVSS score of 5.3 reflects a moderate severity. No EPSS data is available, making it uncertain how frequently exploitation is attempted. The vulnerability is not listed in CISA KEV, suggesting it has not been widely exploited in the wild. A remote attacker can trigger the exploit by sending a specially crafted request to the validateRegex endpoint, and the attack requires no privileged access or authentication, indicating a high likelihood of exploitation in exposed environments.

Generated by OpenCVE AI on June 1, 2026 at 22:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Enderfga claw-orchestrator to version 3.7.1 or later to apply the vendor‑supplied patch.
  • Update deployment configurations to remove or restrict direct user input for the body.pattern parameter, ensuring that only sanitized or predefined patterns are permitted.
  • Implement request rate limiting or input complexity checks on the Session Grep Endpoint to mitigate potential denial of service attempts until a permanent fix is deployed.

Generated by OpenCVE AI on June 1, 2026 at 22:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 01 Jun 2026 21:45:00 +0000

Type Values Removed Values Added
Description A security vulnerability has been detected in Enderfga claw-orchestrator up to 3.7.0. The impacted element is the function validateRegex of the file claw-orchestrator/src/embedded-server.ts of the component Session Grep Endpoint. The manipulation of the argument body.pattern leads to inefficient regular expression complexity. The attack may be initiated remotely. Upgrading to version 3.7.1 is sufficient to resolve this issue. The identifier of the patch is 3f970a974c65a94555c25af9f2796f11315e4584. It is recommended to upgrade the affected component.
Title Enderfga claw-orchestrator Session Grep Endpoint embedded-server.ts validateRegex redos
First Time appeared Enderfga
Enderfga claw-orchestrator
Weaknesses CWE-1333
CWE-400
CPEs cpe:2.3:a:enderfga:claw-orchestrator:*:*:*:*:*:*:*:*
Vendors & Products Enderfga
Enderfga claw-orchestrator
References
Metrics cvssV2_0

{'score': 4, 'vector': 'AV:N/AC:L/Au:S/C:N/I:N/A:P/E:ND/RL:OF/RC:C'}

cvssV3_0

{'score': 4.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:X/RL:O/RC:C'}

cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:X/RL:O/RC:C'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X'}

Subscriptions

Enderfga Claw-orchestrator
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-06-02T15:45:36.997Z

Reserved: 2026-05-31T17:43:01.679Z

Link: CVE-2026-10291

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Deferred

Published: 2026-06-01T22:16:24.093

Modified: 2026-06-02T17:16:26.053

Link: CVE-2026-10291

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-01T23:30:12Z

Weaknesses