CVE Catalog

CVE-2026-43992

Critical
Published: Translated: NVD NIST

Summary

JunoClaw is an AI platform that prior to version 0.x.y-security-1 had a vulnerability where MCP tools accepted 'mnemonic: string' as a call parameter. This led to the BIP-39 seed being embedded in the LLM tool-call JSON, exposing it.

Risk Assessment

The exposure of BIP-39 seeds could lead to the compromise of cryptographic keys, posing a serious risk to the security of data and transactions within the organization.

Recommendation

It is recommended to upgrade to version 0.x.y-security-1 or later to eliminate this vulnerability and secure data against unauthorized access.

Original NVD description (English source)

JunoClaw is an agentic AI platform built on Juno Network. Prior to 0.x.y-security-1, every MCP write tool (send_tokens, execute_contract, instantiate_contract, upload_wasm, ibc_transfer, etc.) accepted 'mnemonic: string' as an explicit tool-call parameter. The BIP-39 seed was consequently embedded in the LLM tool-call JSON, exposing it to any transport, log, or telemetry surface in the path between the LLM provider and the MCP process. This vulnerability is fixed in 0.x.y-security-1.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS