Description
A vulnerability was detected in 8421bit MiniClaw 0.8.0/0.9.0. This issue affects the function resolveSkillScriptPath of the file src/kernel.ts of the component System Command Handler. The manipulation results in os command injection. The exploit is now public and may be used. The patch is identified as 223c16a1088e138838dcbd18cd65a37c35ac5a84. It is best practice to apply a patch to resolve this issue.
Published: 2026-05-10
Score: 5.1 Medium
EPSS: 1.1% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from the resolveSkillPath function within the MiniClaw System Command Handler, allowing an attacker to inject arbitrary operating‑system commands. The issue is classified as a command injection (CWE-77 and CWE-78) and carries a CVSS score of 5.1, indicating a moderate likelihood of compromising system integrity, confidentiality, or availability once triggered.

Affected Systems

The affected product is 8421bit MiniClaw, specifically versions 0.8.0 and 0.9.0, which are subject to the exposed resolveSkillScriptPath path handler.

Risk and Exploitability

The vulnerability is publicly exposed and can be exploited by manipulating the resolveSkillScriptPath input, likely through authenticated or unauthenticated remote API calls. The EPSS score of 1% indicates a low but non-zero likelihood of exploitation, and the vulnerability is not listed in the CISA KEV catalog, but the ability to execute arbitrary OS commands continues to represent a significant risk for affected deployments.

Generated by OpenCVE AI on May 10, 2026 at 14:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the patch corresponding to commit 223c16a1088e138838dcbd18cd65a37c35ac5a84 to update MiniClaw to version 0.9.1 or later
  • Restrict or remove access to the resolveSkillScriptPath API endpoint for untrusted users
  • Sanitize and validate all input parameters to resolveSkillScriptPath to prevent arbitrary command execution

Generated by OpenCVE AI on May 10, 2026 at 14:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 10 May 2026 06:45:00 +0000

Type Values Removed Values Added
Description A vulnerability was detected in 8421bit MiniClaw 0.8.0/0.9.0. This issue affects the function resolveSkillScriptPath of the file src/kernel.ts of the component System Command Handler. The manipulation results in os command injection. The exploit is now public and may be used. The patch is identified as 223c16a1088e138838dcbd18cd65a37c35ac5a84. It is best practice to apply a patch to resolve this issue.
Title 8421bit MiniClaw System kernel.ts resolveSkillScriptPath os command injection
Weaknesses CWE-77
CWE-78
References
Metrics cvssV2_0

{'score': 5.2, 'vector': 'AV:A/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:OF/RC:C'}

cvssV3_0

{'score': 5.5, 'vector': 'CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C'}

cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-05-10T06:15:10.898Z

Reserved: 2026-05-09T09:37:49.916Z

Link: CVE-2026-8235

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-10T07:16:08.953

Modified: 2026-05-10T07:16:08.953

Link: CVE-2026-8235

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-10T14:45:14Z

Weaknesses