CVE-2026-43989: JunoClaw Path Traversal Vulnerability

CVE-2026-43989 Overview

CVE-2026-43989 affects JunoClaw, an agentic AI platform built on Juno Network. Versions prior to 0.x.y-security-1 contain an improper input validation flaw [CWE-20] in the upload_wasm Model Context Protocol (MCP) tool. The tool accepts a filesystem path supplied by the agent and uploads the bytes the path resolves to. It performs no validation of location, symlink target, file size, or file format. An attacker who can influence the agent's tool inputs can exfiltrate arbitrary files from the host filesystem or upload unauthorized WebAssembly modules.

Critical Impact

An attacker can coerce the agent into uploading arbitrary local files, including sensitive configuration data and credentials, by manipulating the path argument passed to upload_wasm.

Affected Products

• JunoClaw agentic AI platform
• All versions prior to 0.x.y-security-1
• Deployments exposing the upload_wasm MCP tool to untrusted agent input

Discovery Timeline

• 2026-05-12 - CVE-2026-43989 published to NVD
• 2026-05-13 - Last updated in NVD database

Technical Details for CVE-2026-43989

Vulnerability Analysis

The upload_wasm MCP tool exposes a path parameter to the agent layer. The implementation reads the bytes located at the supplied path and uploads them without applying any constraints. The function does not verify that the path resides within an expected directory, does not resolve symbolic links before reading, does not enforce a maximum file size, and does not validate that the file conforms to the WebAssembly binary format.

This design allows the agent, or any actor capable of influencing agent prompts or tool calls, to direct the upload at arbitrary locations on the host. Files such as /etc/passwd, SSH private keys, cloud credential files, and application configuration can be exfiltrated through the legitimate upload channel. The flaw also permits delivery of malformed or malicious WebAssembly payloads downstream.

Root Cause

The root cause is missing input validation on the path argument and missing format validation on the file contents. The tool trusts agent-supplied input as if it were operator-supplied input. Symlink resolution and path canonicalization are not performed prior to the read operation.

Attack Vector

Exploitation requires local access and user interaction with the agent, consistent with the recorded attack vector. A prompt injection delivered through agent inputs, or a compromised tool-calling chain, can supply a crafted path. The scope change reflects the ability to read resources outside the tool's intended boundary and to push attacker-controlled bytes into trusted upload pipelines.

No verified exploit code is published. See the GitHub Security Advisory GHSA-rw59-34hw-pmwp for vendor technical details.

Detection Methods for CVE-2026-43989

Indicators of Compromise

• upload_wasm tool invocations referencing paths outside the application's working directory or designated WebAssembly module directory.
• Agent tool calls referencing sensitive paths such as /etc/, ~/.ssh/, ~/.aws/, or environment files.
• Uploaded artifacts that do not begin with the WebAssembly magic bytes \\x00asm.
• Symlinks created within agent-accessible directories that point to system locations.

Detection Strategies

• Inspect MCP server logs for upload_wasm calls with absolute paths or path traversal sequences such as ../.
• Correlate agent prompt content with subsequent tool calls to identify prompt-injection patterns directing file reads.
• Hash and validate uploaded artifacts to confirm they match expected WebAssembly module signatures.

Monitoring Recommendations

• Enable verbose audit logging on all MCP tool invocations, capturing tool name, arguments, and invoking agent identity.
• Alert on reads of credential and configuration files by the JunoClaw service account.
• Track outbound transfers of files originating from the JunoClaw host to detect data exfiltration.

How to Mitigate CVE-2026-43989

Immediate Actions Required

• Upgrade JunoClaw to version 0.x.y-security-1 or later, as published in the GitHub Security Release.
• Audit recent upload_wasm invocations for paths outside the intended module directory.
• Rotate credentials, tokens, and keys accessible to the JunoClaw service account if exposure is suspected.

Patch Information

The fix is delivered in 0.x.y-security-1. The remediation commit is referenced in the GitHub Commit a7886cd and adds validation on the path argument and file contents handled by upload_wasm.

Workarounds

• Disable or remove the upload_wasm MCP tool from agent tool registrations until the patch is applied.
• Run the JunoClaw process under a dedicated unprivileged account with filesystem access restricted to the WebAssembly module directory.
• Apply mandatory access controls or container filesystem mounts to prevent the service from reading sensitive paths.
• Sanitize agent inputs and constrain tool arguments to a strict allowlist of paths within the module directory.

# Configuration example: restrict the JunoClaw service to its module directory
sudo useradd --system --home /var/lib/junoclaw --shell /usr/sbin/nologin junoclaw
sudo chown -R junoclaw:junoclaw /var/lib/junoclaw/modules
sudo chmod 750 /var/lib/junoclaw/modules
# systemd hardening for the JunoClaw service unit
# ProtectSystem=strict
# ProtectHome=true
# ReadWritePaths=/var/lib/junoclaw/modules
# NoNewPrivileges=true