CVE-2026-56694
MediumCVSS 5.4Summary
NanoClaw before version 2.1.0 contains a privilege escalation vulnerability in the channel-registration approval flow where handleChannelApprovalResponse fails to validate admin privileges over target agent groups.
Risk Assessment
Scoped admins can submit forged or stale connect callback values, exposing unauthorized groups to unapproved channels and enabling unauthorized observation or control of restricted agent group activity.
Recommendation
It is recommended to update NanoClaw to version 2.1.0 or later and implement additional privilege verification mechanisms in the channel registration approval process.
Original NVD description (English source)
NanoClaw before 2.1.0 contains a privilege escalation vulnerability in the channel-registration approval flow where handleChannelApprovalResponse fails to validate admin privileges over target agent groups. Scoped admins can submit forged or stale connect callback values to wire messaging channels into out-of-scope agent groups, exposing unauthorized groups to unapproved channels and enabling unauthorized observation or control of restricted agent group activity.

