GHSA-6373-p7g2-mx2wMediumCVSS 5.5
NanoClaw before 2.1.17 contains a symlink following vulnerability in forwardAttachedFiles that...
🔗 CVE IDs covered (1)
📋 Description
NanoClaw before 2.1.17 contains a symlink following vulnerability in forwardAttachedFiles that allows container-controlled agents to exfiltrate host-readable files. The host validates attachment filenames using only isSafeAttachmentName before copying with fs.copyFileSync, which follows symlinks without containment checks, allowing malicious agents to disclose arbitrary host files.
🔗 References (5)
- https://nvd.nist.gov/vuln/detail/CVE-2026-56692
- https://github.com/nanocoai/nanoclaw/pull/2468
- https://github.com/nanocoai/nanoclaw/commit/28032bc0eca76c91fb3d8be0013e8bcaf2f5aeae
- https://www.vulncheck.com/advisories/nanoclaw-arbitrary-file-read-via-symlink-following-in-forwardattachedfiles
- https://github.com/advisories/GHSA-6373-p7g2-mx2w