CVE-2026-43990 Overview
CVE-2026-43990 is a command injection vulnerability in JunoClaw, an agentic AI platform built on Juno Network. The flaw resides in plugin-shell's run_command function, which wrapped every agent-supplied command in sh -c or cmd /C and passed the full argument string to the shell parser. This behavior allowed shell metacharacters in agent-supplied arguments to be interpreted as command syntax. The issue is tracked as CWE-77: Improper Neutralization of Special Elements used in a Command. The vulnerability is fixed in version 0.x.y-security-1.
Critical Impact
An attacker controlling agent inputs can inject arbitrary shell commands through metacharacters, achieving local code execution with full confidentiality, integrity, and availability impact on the host.
Affected Products
- JunoClaw plugin-shell versions prior to 0.x.y-security-1
- JunoClaw runtime (junoclaw-runtime) builds that link plugin-shell
- Agentic workflows using the run_command interface on the Juno Network platform
Discovery Timeline
- 2026-05-12 - CVE-2026-43990 published to NVD
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-43990
Vulnerability Analysis
The vulnerability stems from how plugin-shell constructed and executed agent-supplied commands. The run_command wrapper invoked the system shell (sh -c on Unix-like systems, cmd /C on Windows) and forwarded the entire argument string for parsing. Because the shell interprets characters such as ;, &&, |, `, $(), and redirection operators, any agent-supplied argument containing these metacharacters became executable syntax. An attacker who can influence the prompt or tool input feeding the agent can therefore append arbitrary commands to the intended invocation. The impact is local code execution under the privileges of the JunoClaw runtime process.
Root Cause
The root cause is a failure to neutralize special elements before delegating execution to a command interpreter [CWE-77]. Instead of using direct process execution APIs with an argv vector, run_command concatenated agent input into a single shell-parsed string. This collapsed the boundary between command name, arguments, and shell control syntax.
Attack Vector
Exploitation requires local access in the CVSS sense: the attacker must be able to supply input that the agent passes to run_command. In practice, this includes any upstream prompt, retrieved document, or tool result that the agent treats as a command argument. Crafting an argument such as benign_value; malicious_command causes the shell to execute both. No authentication or user interaction is required at the shell layer.
The upstream fix introduces a Cargo feature gate and an allowlist-only execution path. The shell and Python execution paths are now opt-in via the unsafe-shell feature, and arguments are tokenized using shell-words rather than concatenated into a shell-parsed string.
edition = "2021"
description = "JunoClaw agent execution runtime"
[features]
default = []
# Forwards `unsafe-shell` to plugin-shell. Off by default; enabling adds the
# shell + Python execution code paths to the binary. See plugin-shell's
# Cargo.toml and SECURITY.md for the full opt-in semantics.
unsafe-shell = ["plugin-shell/unsafe-shell"]
[dependencies]
junoclaw-core = { path = "../junoclaw-core" }
plugin-llm = { path = "../../plugins/plugin-llm" }
Source: GitHub Commit 2bc54f6
Detection Methods for CVE-2026-43990
Indicators of Compromise
- Process trees showing the JunoClaw runtime spawning sh -c or cmd /C followed by unexpected child processes such as curl, wget, nc, bash, powershell, or python invoked outside the agent's documented toolset.
- Agent execution logs containing shell metacharacters (;, &&, ||, |, `, $(, >, <) inside run_command argument fields.
- Outbound network connections originating from the JunoClaw runtime process to domains not associated with configured LLM or tool endpoints.
Detection Strategies
- Audit plugin-shell invocation logs for argument strings that contain shell control characters and correlate them with the originating agent prompt or tool result.
- Apply EDR rules that flag the JunoClaw runtime binary spawning interactive shells or scripting interpreters as immediate children.
- Inspect builds for the unsafe-shell Cargo feature; binaries compiled without it should not contain the shell execution code path.
Monitoring Recommendations
- Enable command-line auditing (auditd execve on Linux, Sysmon Event ID 1 on Windows) for all hosts running JunoClaw agents.
- Forward agent input/output logs to a centralized analytics pipeline and alert on metacharacter patterns adjacent to tool-call arguments.
- Baseline normal child processes of the JunoClaw runtime and alert on deviations.
How to Mitigate CVE-2026-43990
Immediate Actions Required
- Upgrade JunoClaw to release v0.x.y-security-1 or later, available on the JunoClaw GitHub releases page.
- Rebuild downstream binaries with the default = [] feature set so the unsafe-shell code path is excluded unless explicitly required.
- Review agent tool definitions and remove any direct exposure of run_command to untrusted prompt input.
Patch Information
The fix is delivered in commit 2bc54f6 and released as v0.x.y-security-1. The patch adds the shell-words and tempfile crates, gates shell and Python execution behind the opt-in unsafe-shell Cargo feature, and restricts execution to an allowlist. Full details are in the GitHub Security Advisory GHSA-gpvm-3chf-2649.
"junoclaw-core",
"serde",
"serde_json",
+ "shell-words",
+ "tempfile",
"tokio",
"tracing",
]
Source: GitHub Commit 2bc54f6
Workarounds
- Compile JunoClaw without the unsafe-shell feature to remove the vulnerable shell execution code path entirely.
- Restrict the executing user account with mandatory access controls (AppArmor, SELinux, or Windows AppContainer) so any injected command runs in a constrained context.
- Sanitize or reject agent-supplied arguments containing shell metacharacters at the orchestration layer before they reach run_command.
# Build JunoClaw runtime with the vulnerable code path excluded
cargo build --release --no-default-features
# Verify the unsafe-shell feature is not enabled
cargo tree -e features | grep -i unsafe-shell || echo "unsafe-shell disabled"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
