Loading market data...
← Back to CVE feed

CVE-2026-56692

MEDIUM CVSS 5.5 View on NVD ↗

Description

NanoClaw before 2.1.17 contains a symlink following vulnerability in forwardAttachedFiles that allows container-controlled agents to exfiltrate host-readable files. The host validates attachment filenames using only isSafeAttachmentName before copying with fs.copyFileSync, which follows symlinks without containment checks, allowing malicious agents to disclose arbitrary host files.

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Published: Jun 23, 2026 16:17 UTC Modified: Jun 23, 2026 17:58 UTC