Summary
NitroClaw's admin dashboard URL pattern allowed authenticated users to read other tenants' agent configurations by changing a numeric tenant ID in the URL. No tool execution leakage. Configurations contained no plaintext secrets.
Details
| CVE ID | CVE-2026-26330 |
| Severity | medium (5.4) |
| CVSS vector | AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N |
| Published | 2026-04-12 |
| Patched | 2026-04-13 |
| Affected versions | Platform 1.4 – 1.5 |
| Fixed in | Platform 1.6 |
| Exploited in the wild | no known exploitation |
Affected projects
What to do
- If you run an affected version: upgrade to
Platform 1.6immediately. Do not delay this for convenience reasons. - Rotate any credentials that may have been exposed via the affected component.
- Audit your logs for indicators of exploitation — unexpected outbound traffic, anomalous tool calls, unfamiliar authenticated sessions.
- If exploitation is confirmed, treat the host as compromised: rebuild from a clean image, rotate every secret on the host, audit lateral movement.
Sources
- NIST NVD: CVE-2026-26330 on NVD
See also: all CVEs, tracked agents, methodology.