CVE-2026-7875
NanoClaw Host Filesystem Boundary Bypass via Outbox Handling
Publication date: 2026-05-06
Last updated on: 2026-05-06
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| qwibitai | nanoclaw | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
NanoClaw contains a host/container filesystem boundary vulnerability related to outbound attachment handling and outbox cleanup.
This vulnerability allows a compromised or prompt-injected container to read files outside the intended outbox directory by using specially crafted messages_out.id and content.files values or by creating symlinked outbox files.
Attackers exploiting this vulnerability can cause the host system to read arbitrary files and, in some cases, perform recursive deletion of paths outside the intended cleanup target.
How can this vulnerability impact me? :
This vulnerability can have severe impacts including unauthorized reading of arbitrary files on the host system from a compromised container.
Additionally, attackers may be able to trigger recursive deletion of files or directories outside the intended cleanup scope, potentially leading to data loss or system instability.
Given the high CVSS scores (9.3 for v4.0 and 8.8 for v3.1), the vulnerability poses a critical risk to confidentiality, integrity, and availability of the affected system.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows a compromised container to read or delete arbitrary files on the host system outside the intended directories. Such unauthorized access to sensitive files could lead to exposure or loss of personal or protected data.
Because the vulnerability enables unauthorized file reads and deletions, it could impact compliance with data protection regulations like GDPR and HIPAA, which require strict controls over access to personal and sensitive information.
Exploitation of this vulnerability could result in breaches of confidentiality, integrity, and availability of data, potentially leading to regulatory violations and associated penalties.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves identifying attempts by containers to exploit path traversal sequences or symlinks in message outbox files to access or delete files outside the intended directories.
You can monitor for suspicious file access patterns or recursive deletions originating from container processes, especially those involving filenames with sequences like '../../../' or unexpected symlinked files in the outbox directory.
Suggested commands include:
- Use 'find' to detect symlinks in the outbox directory: find /path/to/outbox -type l
- Check for unusual filenames with path traversal patterns: ls /path/to/outbox | grep '\.\./'
- Monitor file access or deletion events using auditd or inotify tools targeting the outbox directory.
- Review container logs for suspicious messages containing crafted message IDs or filenames.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include applying the security patches that enforce strict path validation and containment checks on the host side.
Specifically, ensure that the NanoClaw host process validates message IDs and filenames as simple basenames, rejects symlinks and non-file paths, and verifies that resolved paths remain within the canonical message outbox directory.
Additionally, treat all container-controlled data as untrusted and avoid trusting container-supplied paths without validation.
If patches are not immediately available, consider restricting container privileges and isolating the affected components to limit potential exploitation.