CVE-2026-56692

MEDIUM SEVERITY

CVSS Score & Metrics

Base Score

5.5 / 10

Vector String

                                        CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N                                    

Vulnerability Description

NanoClaw before 2.1.17 contains a symlink following vulnerability in forwardAttachedFiles that allows container-controlled agents to exfiltrate host-readable files. The host validates attachment filenames using only isSafeAttachmentName before copying with fs.copyFileSync, which follows symlinks without containment checks, allowing malicious agents to disclose arbitrary host files.

Vulnerability Details

Published Date

June 23, 2026

Last Modified

June 23, 2026

CWE ID

CWE-59

Source

NVD

Vendor

nanocoai

Product

nanoclaw

External References

https://github.com/nanocoai/nanoclaw/commit/28032bc0eca76c91fb3d8be0013e8bcaf2f5aeae
https://github.com/nanocoai/nanoclaw/pull/2468
https://www.vulncheck.com/advisories/nanoclaw-arbitrary-file-read-via-symlink-following-in-forwardattachedfiles

CVE-2026-56692

CVSS Score & Metrics

Vulnerability Description

Vulnerability Details

External References

Discussion (0)

Add Comment