NanoClaw < 2.1.17 - Privilege Escalation via Unauthorized create_agent System Action | Advisories

Advisories

NanoClaw < 2.1.17 - Privilege Escalation via Unauthorized create_agent System Action

severity: medium
date: 6/23/2026
Affecting: nanoclaw < 2.1.17
CVE: CVE-2026-56693
CWE: CWE-602 Client-Side Enforcement of Server-Side Security
CVSS: 6.8
CVSS V4 Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
References: Pull Request
Patch Commit
Credit: Chia Min Jun Lennon
Description: NanoClaw before 2.1.17 contains a privilege escalation vulnerability in the create_agent delivery-action handler that performs privileged central-database writes without host-side authorization checks. Confined agent containers can invoke create_agent to create arbitrary agent groups, container configurations, and destinations, escalating beyond their intended confinement boundary.

Ready to get Started?

Explore VulnCheck, a next-generation Cyber Threat Intelligence platform, which provides exploit and vulnerability intelligence to help you prioritize and remediate vulnerabilities that matter.

Vulnerability Prioritization
Prioritize vulnerabilities that matter based on the threat landscape and defer vulnerabilities that don't.
Early Warning System
Real-time alerting of changes in the vulnerability landscape so that you can take action before the attacks start.

Schedule a Demo