CVE-2026-56692
Received Received - Intake
Symlink Following in NanoClaw Before 2.1.17

Publication date: 2026-06-23

Last updated on: 2026-06-23

Assigner: VulnCheck

Description
NanoClaw before 2.1.17 contains a symlink following vulnerability in forwardAttachedFiles that allows container-controlled agents to exfiltrate host-readable files. The host validates attachment filenames using only isSafeAttachmentName before copying with fs.copyFileSync, which follows symlinks without containment checks, allowing malicious agents to disclose arbitrary host files.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-23
Last Modified
2026-06-23
Generated
2026-06-23
AI Q&A
2026-06-23
EPSS Evaluated
N/A
NVD
CVE-2026-56692
EUVD
EUVD-2026-38464
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
nanocoai nanoclaw to 2.1.17 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-59 The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-56692 is a vulnerability in NanoClaw versions before 2.1.17 where the forwardAttachedFiles function improperly handles symbolic links (symlinks). The host application validates attachment filenames using only a basic check (isSafeAttachmentName) but then copies files using fs.copyFileSync, which follows symlinks without verifying if the linked files are within a safe directory. This allows a malicious or compromised container-controlled agent to create symlinks that point to arbitrary host-readable files, causing the host to inadvertently disclose sensitive files by copying them during attachment forwarding.

The root cause is the lack of containment checks on symlinks, enabling directory traversal and arbitrary file read attacks. The vulnerability was fixed by adding strict path validation, rejecting symlinks, ensuring files are regular files within the expected directory, and skipping any files that fail these checks.

Impact Analysis

This vulnerability can allow a malicious or compromised agent running inside a container to exfiltrate arbitrary files from the host system that it should not have access to. By exploiting the symlink following flaw, an attacker can trick the host into copying sensitive host-readable files into another agent's inbox, potentially exposing confidential data.

The impact includes unauthorized disclosure of sensitive information across trust boundaries without requiring user interaction beyond the initial compromise of an agent. This can lead to data breaches and compromise of host system confidentiality.

Detection Guidance

Detection of this vulnerability involves identifying symlinked files in the agent's outbox directory that could be exploited to exfiltrate host-readable files.

You can check for symbolic links in the relevant directories used by NanoClaw agents by running commands that find symlinks and verify file types.

  • Use the command `find /path/to/agent/outbox -type l` to list all symbolic links in the outbox directory.
  • Use `ls -l /path/to/agent/outbox` to visually inspect for symlinks (indicated by 'l' at the start of the permissions).
  • Check if any symlink points outside the expected directory by resolving real paths with `readlink -f /path/to/symlink`.

Monitoring logs for warnings related to skipped symlinked attachments during forwarding can also help detect exploitation attempts, as the patched version logs such events.

Mitigation Strategies

The primary mitigation step is to upgrade NanoClaw to version 2.1.17 or later, where the vulnerability has been fixed.

The fix includes rejecting symbolic links in forwarded attachments and enforcing strict path validation to prevent directory traversal and unauthorized file access.

  • Update NanoClaw to version 2.1.17 or newer.
  • Ensure that the agent's outbox directory is not a symbolic link and that all attachments are regular files within the expected directory.
  • Review and apply patches that implement the `isPathInside` function and related filesystem checks as described in the security fix.

Additionally, monitor logs for warnings about skipped symlinked files to detect any attempts to exploit this vulnerability.

Compliance Impact

This vulnerability allows malicious agents to exfiltrate arbitrary host-readable files by exploiting symlink following in the forwardAttachedFiles function. Such unauthorized disclosure of sensitive or personal data could lead to violations of data protection regulations like GDPR or HIPAA, which mandate strict controls on access to and protection of personal and sensitive information.

By enabling attackers to access files outside the intended directory boundaries without proper containment checks, the vulnerability undermines data confidentiality and integrity requirements essential for compliance with these standards.

The fix introduced in version 2.1.17, which enforces strict path validation and rejects symlinks, helps mitigate this risk and supports compliance efforts by preventing unauthorized file disclosure.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-56692. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart