CVE-2026-36045 Overview
CVE-2026-36045 is an OS command injection vulnerability [CWE-78] affecting picoclaw versions v0.1.2 and earlier. The flaw resides in the ExecTool component implemented in pkg/tools/shell.go. The guardCommand() function attempts to restrict shell command execution using a denylist of eight regular expressions, but the denylist is incomplete and can be bypassed. Attackers can craft commands that evade the denylist filters and reach the underlying shell interpreter. Successful exploitation allows execution of arbitrary operating system commands in the context of the picoclaw process.
Critical Impact
Remote attackers can bypass the denylist filter in guardCommand() to execute arbitrary OS commands through the ExecTool shell interface.
Affected Products
- picoclaw v0.1.2
- picoclaw versions earlier than v0.1.2
- ExecTool component (pkg/tools/shell.go)
Discovery Timeline
- 2026-05-27 - CVE-2026-36045 published to NVD
- 2026-05-28 - Last updated in NVD database
Technical Details for CVE-2026-36045
Vulnerability Analysis
The vulnerability resides in the ExecTool component of picoclaw, defined in pkg/tools/shell.go. picoclaw exposes a shell execution tool intended to run controlled commands. To restrict dangerous input, the guardCommand() function applies a denylist composed of eight regular expressions before passing the command to the shell. Denylists are a fundamentally weak control because they enumerate known-bad patterns rather than enforcing a known-good grammar. Any pattern not represented in the eight regular expressions reaches the shell unrestricted. An attacker who identifies a permitted construct can inject shell metacharacters, command separators, or alternative encodings to execute arbitrary commands. The issue is classified under [CWE-78] OS Command Injection.
Root Cause
The root cause is reliance on a denylist of regular expressions in guardCommand() rather than safe command construction. The filter does not account for the full range of shell syntax constructs such as alternate separators, subshell invocations, environment variable expansion, and quoting tricks. Because the function returns the original command string to a shell interpreter, any bypass results in direct command execution.
Attack Vector
The attack vector is network-reachable interfaces that expose the ExecTool functionality. An unauthenticated attacker can submit a crafted command string that satisfies the eight denylist regular expressions but still triggers additional shell behavior. The vulnerability requires no user interaction and no privileges. Refer to the GitHub Gist proof of concept and the picoclaw v0.1.2 release notes for technical detail on the bypass patterns.
No verified exploitation code is published in the NVD entry. See the referenced
GitHub Gist for proof-of-concept payloads demonstrating denylist bypass against
the guardCommand() regular expressions.
Detection Methods for CVE-2026-36045
Indicators of Compromise
- Unexpected child processes spawned by the picoclaw binary, such as /bin/sh, bash, curl, wget, or nc.
- Outbound network connections initiated by picoclaw to attacker-controlled hosts.
- Log entries in picoclaw showing commands containing shell metacharacters that were accepted by guardCommand().
Detection Strategies
- Monitor process creation events where the parent process is picoclaw and the child is a shell interpreter or downloader utility.
- Inspect picoclaw request logs for command strings containing characters such as `, $(), |, ;, &, or newline that should not appear in legitimate input.
- Hunt for file writes and persistence artifacts in directories writable by the picoclaw service account.
Monitoring Recommendations
- Forward picoclaw stdout, stderr, and audit logs to a centralized logging platform for retention and correlation.
- Enable host-based process telemetry on systems running picoclaw to record parent-child process lineage.
- Alert on egress traffic from the picoclaw host to non-approved destinations or on non-standard ports.
How to Mitigate CVE-2026-36045
Immediate Actions Required
- Restrict network access to picoclaw so that only trusted clients can reach the ExecTool endpoint.
- Run picoclaw under a dedicated low-privilege account and apply filesystem and capability restrictions.
- Audit recent picoclaw logs for evidence of denylist bypass attempts and investigate any anomalies.
Patch Information
No fixed release is identified in the NVD entry at the time of publication. Versions v0.1.2 and earlier remain vulnerable. Monitor the picoclaw release page for an updated build that replaces the denylist in guardCommand() with safe command construction or a strict allowlist.
Workarounds
- Disable the ExecTool component if it is not required for operational use.
- Place picoclaw behind an authenticated reverse proxy and reject requests containing shell metacharacters at the proxy layer.
- Apply container or sandbox isolation, such as seccomp or AppArmor profiles, to limit which binaries picoclaw can execute.
# Example: restrict picoclaw to localhost and drop shell utilities from PATH
iptables -A INPUT -p tcp --dport <picoclaw_port> ! -s 127.0.0.1 -j DROP
systemctl edit picoclaw.service
# Add under [Service]:
# NoNewPrivileges=true
# ProtectSystem=strict
# PrivateTmp=true
# CapabilityBoundingSet=
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
