CVE Catalog

CVE-2026-56692

MediumCVSS 5.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.13%

3th percentile — higher than 3% of all known CVEs

Summary

NanoClaw before version 2.1.17 contains a symlink following vulnerability in forwardAttachedFiles that allows container-controlled agents to exfiltrate host-readable files. The host validates attachment filenames using only isSafeAttachmentName, which allows malicious agents to disclose arbitrary host files.

Risk Assessment

Organizations may be exposed to sensitive data leaks from the host, potentially leading to serious security breaches and loss of customer trust.

Recommendation

It is recommended to update NanoClaw to version 2.1.17 or later to mitigate this vulnerability and implement additional security measures to prevent unauthorized file access.

Original NVD description (English source)

NanoClaw before 2.1.17 contains a symlink following vulnerability in forwardAttachedFiles that allows container-controlled agents to exfiltrate host-readable files. The host validates attachment filenames using only isSafeAttachmentName before copying with fs.copyFileSync, which follows symlinks without containment checks, allowing malicious agents to disclose arbitrary host files.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS