CVE-2026-24222
Improper Access Control in NVIDIA NeMoClaw Sandbox Causes Data Leak
Publication date: 2026-04-28
Last updated on: 2026-05-04
Assigner: NVIDIA Corporation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| nvidia | nemoclaw | to 0.0.18 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-497 | The product does not properly prevent sensitive system-level information from being accessed by unauthorized actors who do not have the same level of access to the underlying system as the product does. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability in NVIDIA NeMoClaw allows remote attackers to exfiltrate sensitive host environment variables due to improper access control during sandbox initialization, leading to potential information disclosure.
Such unauthorized disclosure of sensitive information could negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of sensitive data and prevention of unauthorized access or disclosure.
Specifically, the exposure of sensitive environment variables may include personal or protected information, thus increasing the risk of non-compliance with data protection and privacy requirements.
What immediate steps should I take to mitigate this vulnerability?
The vulnerability arises from improper access control in the sandbox environment initialization of NVIDIA NeMoClaw, allowing remote attackers to exfiltrate sensitive host environment variables.
Immediate mitigation steps should focus on restricting or properly configuring the sandbox environment to ensure environment variables are not exposed or accessible during sandbox creation.
Additionally, applying any official patches or updates released by NVIDIA addressing this vulnerability is critical.
Can you explain this vulnerability to me?
CVE-2026-24222 is a vulnerability in NVIDIA NeMoClaw's sandbox environment initialization component. It allows a remote attacker to inject prompt content that causes the agent to improperly access and read host environment variables. These variables are not properly restricted during sandbox creation, which leads to unauthorized disclosure of sensitive information.
This vulnerability is classified under CWE-497, which relates to the exposure of sensitive system information to an unauthorized control sphere.
How can this vulnerability impact me? :
A successful exploit of this vulnerability could lead to information disclosure by allowing a remote attacker to exfiltrate sensitive host environment variables. This means confidential data stored in environment variables could be exposed without authorization.
The vulnerability has a high severity score (CVSS 3.1 base score of 8.6) and can be exploited remotely without any privileges or user interaction, making it a significant security risk.