CVE-2026-15320
Received Received - Intake

Authorization Bypass in Sipeed PicoClaw

Vulnerability report for CVE-2026-15320, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-10

Last updated on: 2026-07-10

Assigner: VulDB

Description

A vulnerability was detected in Sipeed PicoClaw up to 0.2.9. This vulnerability affects the function rt.ReloadConfig of the file pkg/channels/pico/pico.go. Performing a manipulation of the argument message.send results in missing authorization. It is possible to initiate the attack remotely. The exploit is now public and may be used. The reported GitHub issue was closed automatically due to inactivity.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-10
Last Modified
2026-07-10
Generated
2026-07-10
AI Q&A
2026-07-10
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
sipeed picoclaw to 0.2.9 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability affects the Sipeed PicoClaw software up to version 0.2.9, specifically the function rt.ReloadConfig in the file pkg/channels/pico/pico.go. It allows an attacker to manipulate the argument message.send, which leads to missing authorization checks. This means that an authenticated Pico WebSocket client can send a message containing the command "/reload" through the chat interface, which is forwarded directly to the command executor without proper authorization. As a result, lower-privileged users can trigger unauthorized gateway configuration reloads, bypassing the usual bearer token requirement of the HTTP management endpoint.

Compliance Impact

The vulnerability allows unauthorized gateway configuration reloads by bypassing authorization checks, which could lead to administrative actions by lower-privileged users. This lack of proper authorization control may increase the risk of unauthorized access or manipulation of system configurations.

While the provided information does not explicitly mention compliance with standards such as GDPR or HIPAA, the potential for unauthorized actions and disruption of service stability could indirectly impact compliance by compromising system integrity and security controls required by these regulations.

Impact Analysis

The vulnerability allows unauthorized users with lower privileges to perform administrative actions such as reloading the gateway configuration. This can disrupt service stability and compromise the integrity of the gateway. Since the exploit can be initiated remotely, attackers could potentially cause service interruptions or manipulate the system configuration without proper authorization.

Detection Guidance

This vulnerability can be detected by monitoring for unauthorized or unusual WebSocket messages containing the "/reload" command sent through the Pico WebSocket chat interface.

Specifically, detection involves checking for authenticated WebSocket clients sending messages that trigger gateway configuration reloads without proper authorization.

Network or system administrators can inspect WebSocket traffic logs or use network monitoring tools to filter for messages containing "/reload" commands.

  • Use packet capture tools like tcpdump or Wireshark to capture WebSocket traffic and filter for "/reload" messages.
  • Analyze application logs for any instances of configuration reload commands triggered via WebSocket without proper authorization.
Mitigation Strategies

Immediate mitigation steps include restricting access to the Pico WebSocket interface to trusted and authenticated users only.

Since the vulnerability allows unauthorized reload commands via WebSocket, it is important to implement proper authorization checks or disable the vulnerable reload functionality until a patch is available.

Additionally, monitoring and logging WebSocket activity for suspicious commands can help detect exploitation attempts early.

  • Restrict WebSocket access to trusted networks or VPNs.
  • Disable or block the "/reload" command in the WebSocket chat interface if possible.
  • Monitor logs and network traffic for unauthorized reload attempts.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-15320. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart