CRITICAL SeverityCVSS 3.19.8CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVE-2026-43992

Last updated May 12, 2026 · Published May 12, 2026

Description

JunoClaw is an agentic AI platform built on Juno Network. Prior to 0.x.y-security-1, every MCP write tool (send_tokens, execute_contract, instantiate_contract, upload_wasm, ibc_transfer, etc.) accepted 'mnemonic: string' as an explicit tool-call parameter. The BIP-39 seed was consequently embedded in the LLM tool-call JSON, exposing it to any transport, log, or telemetry surface in the path between the LLM provider and the MCP process. This vulnerability is fixed in 0.x.y-security-1.

Affected products

1 listed

Dragonmonk111:junoclaw

Mappings

CWE

CWE-200CWE-312CWE-522CWE-532

CAPEC

None listed.

Research

Password StorageExplains why passwords must be hashed with salts and slow KDFs to resist offline cracking. Covers algorithm…

Guides

Secure Password Storage (bcrypt vs Argon2)Which to choose, how to configure, and what to avoid.
Secrets management in GitHub Actions: prevent leaks and rotate safelySecrets management in GitHub Actions starts with repository or environment secrets, scoped tokens, and OIDC…

Training

Logging and Detection EngineeringWriting logs that actually help you find attackers - structured, contextual, actionable.
Data Protection and EncryptionEncryption at rest, in transit, and the practical choices developers actually make.
Authentication PatternsOAuth 2.1, passkeys, WebAuthn, and JWTs - modern identity for modern apps.

CVE-2026-43992

Description

Affected products

Mappings

Related