CVE-2026-56402
Received Received - Intake
Privilege Escalation in NanoClaw via Unauthorized Approval Handling

Publication date: 2026-06-23

Last updated on: 2026-06-23

Assigner: VulnCheck

Description
NanoClaw before 2.1.17 contains a privilege escalation vulnerability in the handleApprovalsResponse function that fails to verify responder role authorization. Attackers with a valid questionId can approve or reject privileged actions like package installation by submitting approval response payloads without proper role validation.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-23
Last Modified
2026-06-23
Generated
2026-06-23
AI Q&A
2026-06-23
EPSS Evaluated
N/A
NVD
CVE-2026-56402
EUVD
EUVD-2026-38463
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
nanoclaw nanoclaw to 2.1.17 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-56402 is a privilege escalation vulnerability in NanoClaw versions before 2.1.17. The issue occurs in the handleApprovalsResponse function, which fails to verify whether the user submitting an approval response has the proper authorization or role.

Attackers who have a valid questionId can exploit this flaw to approve or reject privileged actions, such as package installations, without having the necessary admin or owner privileges. This happens because the system trusts the approval ID without checking the responder's role, leading to unauthorized users manipulating approval workflows.

Impact Analysis

This vulnerability can allow unauthorized users to escalate their privileges by approving or rejecting sensitive actions that should be restricted to admins or owners.

  • Attackers can approve or reject privileged operations like package installations.
  • It compromises the integrity of the approval process, allowing unauthorized changes to system configurations or software.
  • This can lead to unauthorized software being installed or critical actions being blocked or manipulated.
Detection Guidance

This vulnerability involves unauthorized approval responses being accepted without proper role validation. Detection can focus on monitoring approval response payloads that are submitted with valid questionId values but originate from users lacking admin or owner privileges.

To detect exploitation attempts, you can look for unusual approval response activities in logs, especially approval actions performed by non-admin users.

Since the vulnerability is in the handleApprovalsResponse function, monitoring application logs for unauthorized approval attempts or suspicious approval response payloads is recommended.

Specific commands depend on your logging and monitoring setup, but examples include:

  • Searching application logs for approval responses submitted by non-admin users: e.g., `grep 'approval response' /var/log/nanoclaw.log | grep -v 'admin'`
  • Using network monitoring tools to capture and analyze approval response payloads for suspicious activity.
  • Implementing custom scripts to parse logs for approval actions linked to questionId values submitted by unauthorized users.
Mitigation Strategies

The primary mitigation is to upgrade NanoClaw to version 2.1.17 or later, where the vulnerability has been fixed by enforcing strict authorization checks on approval responses.

The fix requires that only users with owner, global admin, or admin roles for the approval's agent group can approve or reject privileged actions.

Until the upgrade is applied, consider restricting access to the approval response mechanism to trusted users only and monitoring for suspicious approval activities.

Additionally, review and audit approval workflows to ensure that no unauthorized approvals or rejections have occurred.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-56402. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart