CVE-2026-16017
Received Received - Intake

Missing Authorization in Mosaxiv Clawlet Cron Tool

Vulnerability report for CVE-2026-16017, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-17

Last updated on: 2026-07-17

Assigner: VulDB

Description

A security flaw has been discovered in mosaxiv clawlet up to 0.2.10. Impacted is the function list/remove of the file tools/tool_cron.go of the component cron Chat Tool. The manipulation results in missing authorization. The attack may be performed from remote. The exploit has been released to the public and may be used for attacks. The reported GitHub issue was closed with the label "not planned".

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-17
Last Modified
2026-07-17
Generated
2026-07-17
AI Q&A
2026-07-17
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
mosaxiv clawlet to 0.2.10 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-16017 is a missing authorization flaw in the mosaxiv clawlet up to version 0.2.10. The vulnerability affects the cron chat tool's list and remove functions in tools/tool_cron.go. It allows authenticated users to manipulate jobs created by others without proper checks. The issue stems from the tool storing ownership metadata but failing to enforce it during operations.

Detection Guidance

To detect this vulnerability, check for unauthorized access to the cron tool's list/remove functions in mosaxiv clawlet versions up to 0.2.10. Monitor logs for unexpected job deletions or listings across different user sessions. Verify if the cron tool stores and enforces job ownership metadata correctly.

Impact Analysis

An attacker could list and delete scheduled jobs of other users, disrupting reminders, workflow triggers, or automation tasks. This cross-session interference enables unauthorized access to shared cron jobs, potentially causing data loss or operational disruptions for affected users.

Compliance Impact

This vulnerability could potentially impact compliance with GDPR and HIPAA by enabling unauthorized access to user data. The missing authorization in the cron tool may allow attackers to view or delete scheduled tasks, which could include sensitive reminders or workflows. This could lead to unauthorized data exposure or disruption of services, violating principles of data protection and integrity required by these regulations.

Mitigation Strategies

Upgrade mosaxiv clawlet to a version beyond 0.2.10 where the authorization flaw is fixed. If upgrading is not possible, restrict access to the cron tool's list/remove functions and implement session-based ownership checks for job operations.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-16017. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart