Description
A vulnerability was found in 8421bit MiniClaw up to 223c16a1088e138838dcbd18cd65a37c35ac5a84. Affected is the function executeCognitivePulse of the file src/kernel.ts. Performing a manipulation results in os command injection. It is possible to initiate the attack remotely. The exploit has been made public and could be used. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available. The patch is named 028f62216dee9f64833d0f1cfda7c217067ceba8. To fix this issue, it is recommended to deploy a patch.
Published: 2026-05-07
Score: 5.3 Medium
EPSS: 2.9% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in the executeCognitivePulse function of src/kernel.ts in the 8421bit MiniClaw application. Performing a specific manipulation allows an attacker to inject arbitrary operating‑system commands that are executed by the running process. This flaw maps to the unsafe use of system command facilities (CWE‑77 and CWE‑78) and can result in compromise of confidentiality, integrity, and availability by executing malicious commands on the host. While the patch commit 028f62216dee9f64833d0f1cfda7c217067ceba8 addresses the issue, the release model used by MiniClaw does not provide explicit version numbers, so the exact applicable revisions cannot be enumerated. The security notice recommends deploying the patch immediately.

Affected Systems

MiniClaw is distributed by 8421bit and follows a rolling‑release model that continually delivers updates. Because no released tag is tied to a specific commit, all MiniClaw instances running any code prior to the patch commit 028f62216dee9f64833d0f1cfda7c217067ceba8 are considered vulnerable. The product repository lists the affected commit range up to 223c16a1088e138838dcbd18cd65a37c35ac5a84, which includes the vulnerable function.

Risk and Exploitability

The CVSS v3 base score of 5.3 indicates moderate severity, and the EPSS score of 3% suggests a moderate likelihood of exploitation. The vulnerability is public, with exploit code released on GitHub, and is not yet listed in the CISA KEV catalog. Based on the description, it is inferred that the attack vector is remote, likely via network interfaces that expose the executeCognitivePulse function. An adversary could trigger the injection by sending crafted data to the exposed endpoint or triggering the function through any remote procedure call that the application accepts.

Generated by OpenCVE AI on June 18, 2026 at 08:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official patch corresponding to commit 028f62216dee9f64833d0f1cfda7c217067ceba8 as soon as possible.
  • If immediate patching is not feasible, restrict external access to the executeCognitivePulse function or remove that functionality from production environments.
  • Enforce strict input validation on all parameters passed to executeCognitivePulse, ensuring that no untrusted data is executed directly in the operating system, and enforce least‑privilege permissions for the MiniClaw process.

Generated by OpenCVE AI on June 18, 2026 at 08:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 29 May 2026 15:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:8421bit:miniclaw:*:*:*:*:*:*:*:*

Sun, 10 May 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared 8421bit
8421bit miniclaw
Vendors & Products 8421bit
8421bit miniclaw

Fri, 08 May 2026 23:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 07 May 2026 21:30:00 +0000

Type Values Removed Values Added
Description A vulnerability was found in 8421bit MiniClaw up to 223c16a1088e138838dcbd18cd65a37c35ac5a84. Affected is the function executeCognitivePulse of the file src/kernel.ts. Performing a manipulation results in os command injection. It is possible to initiate the attack remotely. The exploit has been made public and could be used. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available. The patch is named 028f62216dee9f64833d0f1cfda7c217067ceba8. To fix this issue, it is recommended to deploy a patch.
Title 8421bit MiniClaw kernel.ts executeCognitivePulse os command injection
Weaknesses CWE-77
CWE-78
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:OF/RC:C'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

8421bit Miniclaw
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-05-08T23:01:39.515Z

Reserved: 2026-05-07T16:33:08.416Z

Link: CVE-2026-8112

cve-icon Vulnrichment

Updated: 2026-05-08T23:01:32.232Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-07T22:16:37.507

Modified: 2026-06-17T11:03:30.077

Link: CVE-2026-8112

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T08:30:04Z

Weaknesses
  • CWE-77

    Improper Neutralization of Special Elements used in a Command ('Command Injection')

  • CWE-78

    Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')