CVE-2026-10216
Description
CVE-2026-10216: The /pairing/claim endpoint in droidclaw up to 0.5.3 trusts spoofable HTTP headers for rate limiting, allowing brute-force of pairing codes.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
CVE-2026-10216: The /pairing/claim endpoint in droidclaw up to 0.5.3 trusts spoofable HTTP headers for rate limiting, allowing brute-force of pairing codes.
Vulnerability
The vulnerability resides in the /pairing/claim endpoint of server/src/routes/pairing.ts in unitedbyai droidclaw up to version 0.5.3 [1]. The endpoint implements an IP-based rate limiter (isRateLimited()) to prevent brute-force attacks against 6-digit pairing codes. However, the IP address is extracted from the X-Forwarded-For or X-Real-IP HTTP headers, which are easily spoofed by an attacker [2][3]. This improper restriction of excessive authentication attempts allows an unauthenticated remote attacker to bypass the intended 5-attempts-per-minute limit.
Exploitation
An attacker can send requests to the /pairing/claim endpoint with a randomly generated X-Forwarded-For header for each request, making each attempt appear to come from a different IP address [2][3]. This bypasses the in-memory rate limiter, which keys on the spoofed IP. The attacker can then brute-force the entire 6-digit pairing code keyspace (900,000 possibilities) within minutes. No prior authentication or user interaction is required. The exploit is publicly available [2][3].
Impact
Upon successfully guessing a valid pairing code, the server returns the victim user's apiKey [2][3]. With this key, the attacker can connect to the WebSocket API and gain full control over the victim's device, effectively achieving device takeover. This compromises the confidentiality, integrity, and availability of the device and any data accessible through it.
Mitigation
As of the publication date, the project maintainer has not responded to the issue report [2][3]. No official fix or patched version has been released. Users are advised to disable the /pairing/claim endpoint or implement a more robust rate-limiting mechanism that does not rely on spoofable headers (e.g., using a session token or CAPTCHA). The vulnerability is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog.
- GitHub - unitedbyai/droidclaw: turn old phones into ai agents - give it a goal in plain english. it reads the screen, thinks about what to do, taps and types via adb, and repeats until the job is done.
- [Security] Unauthenticated Authentication Bypass via Rate Limiter Evasion and IP Spoofing in Pairing API
- https://gist.github.com/YLChen-007/2639ccaefd55ef4309953b76bc4c737e/raw
AI Insight generated on Jun 1, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: <=0.5.3
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing rate limiting on the claim endpoint allows unlimited authentication attempts."
Attack vector
An attacker can remotely send repeated authentication requests to the `claim` endpoint in `server/src/routes/pairing.ts` without any prior authentication [ref_id=1]. Because the endpoint does not enforce rate limiting or account lockout, the attacker can brute-force or replay pairing claims indefinitely. The attack requires high complexity due to the need to craft valid request parameters, but no special privileges or network position beyond reachability to the server are needed.
Affected code
The vulnerability is in the file `server/src/routes/pairing.ts` within the `claim` endpoint. This endpoint handles device pairing requests but lacks rate-limiting or other controls to restrict excessive authentication attempts [ref_id=1]. The exact function name is not specified in the available references.
What the fix does
No patch has been published by the vendor. The project was informed via an issue report but has not responded. The recommended remediation is to implement rate limiting on the `claim` endpoint (e.g., a per-IP or per-device token bucket), enforce a maximum number of claim attempts per time window, and optionally introduce CAPTCHA or proof-of-work challenges for repeated requests [ref_id=1].
Preconditions
- networkThe attacker must be able to reach the server's pairing endpoint over the network.
- authNo authentication or prior session is required.
Generated on Jun 1, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6News mentions
0No linked articles in our index yet.