CVE-2026-16081
Received Received - Intake

Cross-Site Request Forgery in Sipeed PicoClaw

Vulnerability report for CVE-2026-16081, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-18

Last updated on: 2026-07-18

Assigner: VulDB

Description

A vulnerability was determined in Sipeed PicoClaw up to 0.2.9. The affected element is an unknown function of the file web/backend/api/auth.go. Executing a manipulation can lead to cross-site request forgery. The attack can be launched remotely. The exploit has been publicly disclosed and may be utilized. This patch is called 4b0229351678f479429b8d8b19207757266f246b. Applying a patch is advised to resolve this issue.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-18
Last Modified
2026-07-18
Generated
2026-07-18
AI Q&A
2026-07-18
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
sipeed picoclaw to 0.2.9 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
CWE-352 The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-16081 is a Cross-Site Request Forgery (CSRF) vulnerability in the PicoClaw launcher's first-run password setup process. It allows malicious cross-site pages to submit attacker-controlled passwords to a local launcher before legitimate users complete setup, potentially enabling unauthorized control-plane access.

Detection Guidance

To detect this CSRF vulnerability in PicoClaw up to 0.2.9, monitor HTTP requests to the POST /api/auth/setup endpoint. Check for cross-site requests lacking proper origin headers like Sec-Fetch-Site, Origin, or Referer. Use tools like curl to test if the endpoint accepts requests without these headers.

Impact Analysis

An attacker could trick a victim into visiting a malicious webpage, which sends a cross-site POST request to the local PicoClaw launcher. This sets an attacker-chosen password during the first-run setup, granting full control over the launcher's dashboard, including gateway management and configuration changes.

Compliance Impact

This CSRF vulnerability in PicoClaw's first-run password setup could potentially violate compliance with GDPR and HIPAA by allowing unauthorized access to user data. An attacker exploiting this flaw might gain control of the launcher's dashboard, enabling unauthorized changes to configurations or access to sensitive information. GDPR requires protecting personal data, while HIPAA mandates securing health-related data; unauthorized access could lead to breaches of these regulations.

Mitigation Strategies

Apply the patch from Pull Request #3160 or update to a version beyond 0.2.9. Ensure the PicoClaw launcher is accessible only from trusted networks. Monitor for unauthorized POST /api/auth/setup requests during the first-run setup phase.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-16081. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart