Unrated severityNVD Advisory· Published Jun 23, 2026

NanoClaw < 2.1.17 - Arbitrary File Read via Symlink Following in forwardAttachedFiles

CVE-2026-56692

Description

NanoClaw before 2.1.17 contains a symlink following vulnerability in forwardAttachedFiles that allows container-controlled agents to exfiltrate host-readable files. The host validates attachment filenames using only isSafeAttachmentName before copying with fs.copyFileSync, which follows symlinks without containment checks, allowing malicious agents to disclose arbitrary host files.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

Nanocoai/nanoclawllm-fuzzy
Range: <2.1.17

Patches

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/nanocoai/nanoclaw/commit/28032bc0eca76c91fb3d8be0013e8bcaf2f5aeaemitrepatch
www.vulncheck.com/advisories/nanoclaw-arbitrary-file-read-via-symlink-following-in-forwardattachedfilesmitrethird-party-advisory
github.com/nanocoai/nanoclaw/pull/2468mitreissue-tracking

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000