CVE-2026-7875 HIGH

CVE-2026-7875: NanoClaw Host/Container Filesystem Boundary Vulnerability via Outbound Attachment Handling

Vendor Qwibit
Product NanoClaw
Weakness CWE-22 · Path traversal
Published May 6, 2026
Last update May 19, 2026

CVSS base score

8.8/10
Attack vector Local
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

What the vulnerability does

01Description

NanoClaw version 1.2.0 and prior contains a host/container filesystem boundary vulnerability in outbound attachment handling and outbox cleanup that allows a compromised or prompt-injected container to read files outside the intended outbox directory by supplying crafted messages_out.id and content.files values or creating symlinked outbox files. Attackers can exploit this vulnerability to trigger host-side reads of arbitrary files and in some cases achieve recursive deletion of paths outside the intended cleanup target.

Key dates

02Disclosure timeline

May 6, 2026 CVE published
May 19, 2026 Record updated