Description
A vulnerability was determined in 8421bit MiniClaw up to 43905b934cf76489ab28e4d17da28ee97970f91f. Affected by this vulnerability is the function isPathInside of the file src/kernel.ts of the component executeSkillScript. Executing a manipulation can lead to path traversal. It is possible to launch the attack remotely. The exploit has been publicly disclosed and may be utilized. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available. This patch is called e8bd4e17e9428260f2161378356affc5ce90d6ed. It is advisable to implement a patch to correct this issue.
Published: 2026-05-07
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A vulnerability in the isPathInside function of MiniClaw's executeSkillScript component allows an attacker to traverse filesystem paths. This path traversal can result in unauthorized access to, or execution of, files situated outside the intended directories. The flaw can be triggered remotely by manipulating input passed to the function, potentially leading to information disclosure or compromised system integrity.

Affected Systems

The vulnerability appears in 8421bit:MiniClaw across all releases up to the commit identified as 43905b934cf76489ab28e4d17da28ee97970f91f. Due to the project's rolling release strategy, precise affected version ranges are not formally documented, and no fixed release has been specified. All deployments of MiniClaw before the patch commit e8bd4e17e9428260f2161378356affc5ce90d6ed are potentially exposed.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity, and the exploit is known to be publicly disclosed with remote execution capability. Although the EPSS score is unavailable and the vulnerability is not listed in the CISA KEV catalog, the lack of mitigation measures combined with the remote exploitability and the nature of path traversal warrants a moderate risk posture. An attacker could manipulate input parameters to gain file system access beyond the intended boundaries if the system's directory permissions are permissive.

Generated by OpenCVE AI on May 7, 2026 at 22:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official patch identified by commit e8bd4e17e9428260f2161378356affc5ce90d6ed to eliminate the vulnerability
  • After patching, restrict MiniClaw’s file system permissions to the directories it legitimately requires to operate
  • Continuously monitor for anomalous file access or execution attempts and enforce input validation and path normalization to defend against similar issues

Generated by OpenCVE AI on May 7, 2026 at 22:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 08 May 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 07 May 2026 21:30:00 +0000

Type Values Removed Values Added
Description A vulnerability was determined in 8421bit MiniClaw up to 43905b934cf76489ab28e4d17da28ee97970f91f. Affected by this vulnerability is the function isPathInside of the file src/kernel.ts of the component executeSkillScript. Executing a manipulation can lead to path traversal. It is possible to launch the attack remotely. The exploit has been publicly disclosed and may be utilized. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available. This patch is called e8bd4e17e9428260f2161378356affc5ce90d6ed. It is advisable to implement a patch to correct this issue.
Title 8421bit MiniClaw executeSkillScript kernel.ts isPathInside path traversal
Weaknesses CWE-22
References
Metrics cvssV2_0

{'score': 4, 'vector': 'AV:N/AC:L/Au:S/C:P/I:N/A:N/E:POC/RL:OF/RC:C'}

cvssV3_0

{'score': 4.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C'}

cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-05-08T20:23:55.940Z

Reserved: 2026-05-07T16:33:11.644Z

Link: CVE-2026-8113

cve-icon Vulnrichment

Updated: 2026-05-08T20:23:40.318Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-07T22:16:37.680

Modified: 2026-05-08T15:39:09.053

Link: CVE-2026-8113

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-07T22:30:36Z

Weaknesses