Description
NanoClaw version 1.2.0 and prior contains a host/container filesystem boundary vulnerability in outbound attachment handling and outbox cleanup that allows a compromised or prompt-injected container to read files outside the intended outbox directory by supplying crafted messages_out.id and content.files values or creating symlinked outbox files. Attackers can exploit this vulnerability to trigger host-side reads of arbitrary files and in some cases achieve recursive deletion of paths outside the intended cleanup target.
Published: 2026-05-06
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

NanoClaw has a filesystem boundary flaw in its outbound attachment processing and outbox cleanup. By supplying specially crafted identifiers such as messages_out.id and content.files or creating symlinked files in the outbox, a compromised or injected container can cause the host process to read any file outside the designed outbox directory. In certain circumstances, the cleanup routine may also delete files or directories beyond the intended target, potentially removing critical host data. The weakness allows attackers to compromise confidentiality and integrity of host files, with the possible reduction of system availability if critical configuration files are removed.

Affected Systems

The vulnerability affects Qwibit’s NanoClaw product. No specific affected product versions are listed; all installations should be reviewed for exposure until a vendor patch is issued.

Risk and Exploitability

NanoClaw receives a CVSS score of 9.3, indicating high severity. The EPSS score indicates a very low probability of exploitation, being less than 1%. The lack of prior exploitation or KEV listing further suggests that this vulnerability may not yet be widely exploited. Attackers would need the ability to inject crafted attachment messages or create symlinks within the outbox, indicating that containers with file creation privileges or compromised within the outbound attachment flow can exploit it. The vulnerability’s path traversal nature (CWE‑22) makes exploitation straightforward once the preconditions are met. Refer to the most recent advisory for details.

Generated by OpenCVE AI on May 7, 2026 at 18:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update NanoClaw to the latest supported release that incorporates the path‑traversal fix; deploy the patch as soon as it becomes available.
  • If a vendor patch is not yet released, disable or lock the outbox feature so that outbound attachment processing and cleanup run in a read‑only mode, preventing symlink creation and limiting container write access to the host outbox directory.
  • Harden container isolation by ensuring that the container runtime grants no write or symlink privileges to the host outbox directory; consider moving the outbox to a separate mount namespace or sandboxing it with strict security profiles such as seccomp to block dangerous system calls.
  • Implement runtime monitoring of file access around the outbox directory to detect abnormal read or delete activity, and enforce strict input validation on attachment parameters to guard against path‑traversal attacks (CWE‑22).

Generated by OpenCVE AI on May 7, 2026 at 18:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 29 May 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Nanoco
Nanoco nanoclaw
CPEs cpe:2.3:a:nanoco:nanoclaw:*:*:*:*:*:*:*:*
Vendors & Products Nanoco
Nanoco nanoclaw

Thu, 07 May 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Qwibit
Qwibit nanoclaw
Vendors & Products Qwibit
Qwibit nanoclaw

Thu, 07 May 2026 17:00:00 +0000

Type Values Removed Values Added
Description NanoClaw contains a host/container filesystem boundary vulnerability in outbound attachment handling and outbox cleanup that allows a compromised or prompt-injected container to read files outside the intended outbox directory by supplying crafted messages_out.id and content.files values or creating symlinked outbox files. Attackers can exploit this vulnerability to trigger host-side reads of arbitrary files and in some cases achieve recursive deletion of paths outside the intended cleanup target. NanoClaw version 1.2.0 and prior contains a host/container filesystem boundary vulnerability in outbound attachment handling and outbox cleanup that allows a compromised or prompt-injected container to read files outside the intended outbox directory by supplying crafted messages_out.id and content.files values or creating symlinked outbox files. Attackers can exploit this vulnerability to trigger host-side reads of arbitrary files and in some cases achieve recursive deletion of paths outside the intended cleanup target.
References

Thu, 07 May 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 06 May 2026 16:45:00 +0000

Type Values Removed Values Added
Description NanoClaw contains a host/container filesystem boundary vulnerability in outbound attachment handling and outbox cleanup that allows a compromised or prompt-injected container to read files outside the intended outbox directory by supplying crafted messages_out.id and content.files values or creating symlinked outbox files. Attackers can exploit this vulnerability to trigger host-side reads of arbitrary files and in some cases achieve recursive deletion of paths outside the intended cleanup target.
Title NanoClaw Host/Container Filesystem Boundary Vulnerability via Outbound Attachment Handling
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H'}

cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H'}

Subscriptions

Nanoco Nanoclaw
Qwibit Nanoclaw
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-19T16:48:05.925Z

Reserved: 2026-05-05T14:27:47.935Z

Link: CVE-2026-7875

cve-icon Vulnrichment

Updated: 2026-05-07T13:46:49.926Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-06T17:16:24.250

Modified: 2026-05-29T15:24:59.267

Link: CVE-2026-7875

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-07T21:25:35Z

Weaknesses