PocketClawAI security alerts
Sign in
vulnerabilitymedium · CVSS 5.4patched

CVE-2026-26330

NitroClaw — IDOR in admin dashboard tenant routing

Timeline
Disclosed2026-04-12Patch available2026-04-13Patched2026-05-03

Each rust dot is a disclosed event in this advisory's life: when it was published, when (if ever) a patch shipped and where things stand today (the dashed line). Ghosted dots are events that haven't happened yet.

Summary

NitroClaw's admin dashboard URL pattern allowed authenticated users to read other tenants' agent configurations by changing a numeric tenant ID in the URL. No tool execution leakage. Configurations contained no plaintext secrets.

Details

CVE IDCVE-2026-26330
Severitymedium (5.4)
CVSS vectorAV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Published2026-04-12
Patched2026-04-13
Affected versionsPlatform 1.4 – 1.5
Fixed inPlatform 1.6
Exploited in the wildno known exploitation

Affected AI agents

NitroClaw
Are you running NitroClaw?Paste your docker-compose.yml or requirements.txt and we'll tell you in 10 seconds whether CVE-2026-26330 hits your stack.
Scan my AI stack →

What to do

  • If you run an affected version: upgrade to Platform 1.6 immediately. Do not delay this for convenience reasons.
  • Rotate any credentials that may have been exposed via the affected component.
  • Audit your logs for indicators of exploitation — unexpected outbound traffic, anomalous tool calls, unfamiliar authenticated sessions.
  • If exploitation is confirmed, treat the host as compromised: rebuild from a clean image, rotate every secret on the host, audit lateral movement.

Sources

Are you affected?

Type the version you have installed. We check it against Platform 1.4 – 1.5.

This is a best-effort check. When in doubt, upgrade to Platform 1.6.

See also: all AI CVEs, AI agents tracker, scan your AI stack, Pro alerts, methodology.