HIGH SeverityCVSS 3.18.5CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:L

CVE-2026-43989

Last updated May 12, 2026 · Published May 12, 2026

Description

JunoClaw is an agentic AI platform built on Juno Network. Prior to 0.x.y-security-1, the upload_wasm MCP tool accepted a filesystem path from the agent and uploaded whatever bytes the path resolved to, with no validation of location, symlink target, file size, or file format. This vulnerability is fixed in 0.x.y-security-1.

Affected products

1 listed

Dragonmonk111:junoclaw

Mappings

CWE

CWE-20CWE-22CWE-59CWE-73

CAPEC

None listed.

Research

Path traversal: how to detect and prevent itPath traversal lets attackers read or write files outside intended directories. Normalise paths, resolve them…

Training

Input Validation and Schema EnforcementValidate early, validate strictly - schemas, allowlists, and type-safe boundaries.
Secure File HandlingUploads, storage, and serving files without opening the door to attackers.

CVE-2026-43989

Description

Affected products

Mappings

Related