CVE-2026-24222
Received Received - Intake
Improper Access Control in NVIDIA NeMoClaw Sandbox Causes Data Leak

Publication date: 2026-04-28

Last updated on: 2026-05-04

Assigner: NVIDIA Corporation

Description
NVIDIA NeMoClaw contains a vulnerability in the sandbox environment initialization component, where a remote attacker could cause improper access control by sending prompt-injected content that causes the agent to read and exfiltrate host environment variables not properly restricted during sandbox creation. A successful exploit of this vulnerability might lead to information disclosure.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-28
Last Modified
2026-05-04
Generated
2026-06-16
AI Q&A
2026-04-28
EPSS Evaluated
2026-06-15
NVD
CVE-2026-24222
EUVD
EUVD-2026-26079
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
nvidia nemoclaw to 0.0.18 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-497 The product does not properly prevent sensitive system-level information from being accessed by unauthorized actors who do not have the same level of access to the underlying system as the product does.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-24222 is a vulnerability in NVIDIA NeMoClaw's sandbox environment initialization component. It allows a remote attacker to inject prompt content that causes the agent to improperly access and read host environment variables. These variables are not properly restricted during sandbox creation, which leads to unauthorized disclosure of sensitive information.

This vulnerability is classified under CWE-497, which relates to the exposure of sensitive system information to an unauthorized control sphere.

Compliance Impact

This vulnerability in NVIDIA NeMoClaw allows remote attackers to exfiltrate sensitive host environment variables due to improper access control during sandbox initialization, leading to potential information disclosure.

Such unauthorized disclosure of sensitive information could negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of sensitive data and prevention of unauthorized access or disclosure.

Specifically, the exposure of sensitive environment variables may include personal or protected information, thus increasing the risk of non-compliance with data protection and privacy requirements.

Mitigation Strategies

The vulnerability arises from improper access control in the sandbox environment initialization of NVIDIA NeMoClaw, allowing remote attackers to exfiltrate sensitive host environment variables.

Immediate mitigation steps should focus on restricting or properly configuring the sandbox environment to ensure environment variables are not exposed or accessible during sandbox creation.

Additionally, applying any official patches or updates released by NVIDIA addressing this vulnerability is critical.

Impact Analysis

A successful exploit of this vulnerability could lead to information disclosure by allowing a remote attacker to exfiltrate sensitive host environment variables. This means confidential data stored in environment variables could be exposed without authorization.

The vulnerability has a high severity score (CVSS 3.1 base score of 8.6) and can be exploited remotely without any privileges or user interaction, making it a significant security risk.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-24222. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart