nanocoai/nanoclaw

GitHub

github.com

nanoclaw.dev

Releases5

Frequency2 weeks 5 days

Last Release about 1 month ago

Stars29.8K

A lightweight alternative to OpenClaw that runs in containers for security. Connects to WhatsApp, Telegram, Slack, Discord, Gmail and other messaging apps,, has memory, scheduled jobs, and runs directly on Anthropic's Agents SDK

CVE History

CVE	Published	CVSS v3	CVSS v2
CVE-2026-56694 ↗	Jun 23, 2026Tuesday, 23 June 2026, 16:17	5.4 MEDIUM	—
NanoClaw before 2.1.0 contains a privilege escalation vulnerability in the channel-registration approval flow where handleChannelApprovalResponse fails to validate admin privileges over target agent groups. Scoped admins can submit forged or stale connect callback values to wire messaging channels into out-of-scope agent groups, exposing unauthorized groups to unapproved channels and enabling unauthorized observation or control of restricted agent group activity.
CVE-2026-56402 ↗	Jun 23, 2026Tuesday, 23 June 2026, 16:17	6.5 MEDIUM	—
NanoClaw before 2.1.17 contains a privilege escalation vulnerability in the handleApprovalsResponse function that fails to verify responder role authorization. Attackers with a valid questionId can approve or reject privileged actions like package installation by submitting approval response payloads without proper role validation.
CVE-2026-56692 ↗	Jun 23, 2026Tuesday, 23 June 2026, 16:17	5.5 MEDIUM	—
NanoClaw before 2.1.17 contains a symlink following vulnerability in forwardAttachedFiles that allows container-controlled agents to exfiltrate host-readable files. The host validates attachment filenames using only isSafeAttachmentName before copying with fs.copyFileSync, which follows symlinks without containment checks, allowing malicious agents to disclose arbitrary host files.
CVE-2026-56693 ↗	Jun 23, 2026Tuesday, 23 June 2026, 16:17	5.5 MEDIUM	—
NanoClaw before 2.1.17 contains a privilege escalation vulnerability in the create_agent delivery-action handler that performs privileged central-database writes without host-side authorization checks. Confined agent containers can invoke create_agent to create arbitrary agent groups, container configurations, and destinations, escalating beyond their intended confinement boundary.
CVE-2026-7875 ↗	May 6, 2026Wednesday, 6 May 2026, 17:16	8.8 HIGH	—
NanoClaw version 1.2.0 and prior contains a host/container filesystem boundary vulnerability in outbound attachment handling and outbox cleanup that allows a compromised or prompt-injected container to read files outside the intended outbox directory by supplying crafted messages_out.id and content.files values or creating symlinked outbox files. Attackers can exploit this vulnerability to trigger host-side reads of arbitrary files and in some cases achieve recursive deletion of paths outside the intended cleanup target.