Executive Summary

CVE-2026-10216 is a critical authentication bypass vulnerability in the Droidclaw software (versions up to 0.5.3). It exists in the /pairing/claim endpoint where the application improperly restricts excessive authentication attempts by relying on spoofable HTTP headers (X-Forwarded-For and X-Real-IP) to identify clients for rate limiting.

An attacker can dynamically change these headers with each request to bypass the rate limiting mechanism, allowing them to brute-force the 6-digit pairing code (with 900,000 possible combinations) within minutes.

Upon successfully guessing the pairing code, the attacker can steal the victim's API key and gain full control over the victim's Android device via the WebSocket API without requiring any authentication.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows an unauthenticated attacker to bypass rate limiting and brute-force the pairing code to steal your API key.

With the stolen API key, the attacker gains full control over your Android device through the Droidclaw WebSocket API, enabling them to execute arbitrary commands and actions remotely.

This can lead to complete device hijacking, unauthorized access to sensitive data, and potential misuse of device capabilities.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring unusual or excessive authentication attempts to the /pairing/claim endpoint, especially attempts that spoof the HTTP headers X-Forwarded-For and X-Real-IP to bypass rate limiting.

Network administrators can look for repeated requests with varying X-Forwarded-For or X-Real-IP headers targeting the /pairing/claim endpoint, which may indicate an ongoing brute-force attack.

Suggested commands to detect such activity include using tools like tcpdump or Wireshark to capture HTTP traffic and filter for requests to /pairing/claim with suspicious header patterns.

• tcpdump -i <interface> -A -s 0 'tcp port 80 or tcp port 443' | grep '/pairing/claim'
• Use grep or similar tools on web server logs to identify multiple requests with different X-Forwarded-For or X-Real-IP headers in a short time frame.
• Example: grep '/pairing/claim' /var/log/nginx/access.log | grep -E 'X-Forwarded-For|X-Real-IP' | sort | uniq -c | sort -nr

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include upgrading Droidclaw to a version later than v0.5.3 where the vulnerability has been patched.

If upgrading is not immediately possible, implement stricter rate limiting that does not rely on spoofable HTTP headers such as X-Forwarded-For or X-Real-IP.

Additionally, consider blocking or filtering requests with suspicious or rapidly changing IP headers and monitor for brute-force attempts.

Restrict access to the /pairing/claim endpoint to trusted networks or authenticated users where feasible.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability allows unauthenticated attackers to bypass rate limiting and brute-force a 6-digit pairing code, leading to theft of API keys and full control over victim devices. This unauthorized access to personal or sensitive data could result in violations of data protection regulations such as GDPR or HIPAA, which require strict controls on access to personal and health information.

Specifically, the improper restriction of excessive authentication attempts (CWE-307) increases the risk of unauthorized data access, which may lead to non-compliance with standards mandating strong authentication and access controls.

Useful 0 Not Useful 0