CVE-2026-16200
Received Received - Intake

Incorrect Authorization in zevorn rt-claw RPC Handler

Vulnerability report for CVE-2026-16200, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-19

Last updated on: 2026-07-19

Assigner: VulDB

Description

A vulnerability has been found in zevorn rt-claw up to 0.2.0. This impacts the function claw_tool_invoke of the file claw/services/swarm/swarm.c of the component RPC Handler. The manipulation leads to incorrect authorization. Remote exploitation of the attack is possible. The exploit has been disclosed to the public and may be used. The project was informed of the problem early through an issue report but has not responded yet.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-19
Last Modified
2026-07-19
Generated
2026-07-19
AI Q&A
2026-07-19
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
zevorn rt-claw to 0.2.0 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
CWE-285 The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-16200 is an authorization bypass vulnerability in zevorn rt-claw up to 0.2.0. It allows unauthenticated remote attackers to execute arbitrary Python code on Linux nodes via the swarm RPC interface by bypassing the intended local-only security policy.

Detection Guidance
  • Check for unexpected network traffic on UDP port 5300, which is the default swarm port for rt-claw. Use commands like 'netstat -anu | grep 5300' or 'ss -anu | grep 5300' to monitor active connections.
  • Inspect logs for unauthorized RPC calls or Python script executions. Look for entries containing 'run_script' or 'swarm' in logs like /var/log/syslog or application-specific logs.
  • Verify if the rt-claw service is running an unreleased version after v0.2.0. Check version with 'rtclaw --version' or inspect build metadata.
Impact Analysis

This vulnerability allows remote attackers to gain full control of affected systems by executing arbitrary Python code in the context of the rtclaw process. Attackers can send crafted UDP packets to the swarm port (5300) to trigger the exploit.

Compliance Impact

This vulnerability allows unauthenticated remote attackers to execute arbitrary Python code on affected systems, which could lead to unauthorized access to sensitive data. This may violate compliance requirements under GDPR (data protection) and HIPAA (healthcare data privacy) by enabling unauthorized data access or disclosure.

Mitigation Strategies
  • Disable the swarm RPC interface if not required. Modify rt-claw configuration to disable swarm services or restrict access to trusted networks.
  • Update to a patched version of rt-claw once available. Monitor the project's GitHub repository for official fixes.
  • Implement network-level controls. Block UDP port 5300 at the firewall to prevent remote exploitation until patched.
  • Restrict execution permissions. Ensure the rtclaw process runs with minimal privileges to limit impact of potential exploits.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-16200. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart