CVE-2026-43991 Overview
CVE-2026-43991 affects JunoClaw, an agentic AI platform built on the Juno Network. The vulnerability resides in plugin-shell, where a substring-based blocklist enforced the command-safety check against the raw command string rather than the parsed first token. Adversarial argument constructions bypass this control, enabling unauthorized command execution on the host. The flaw is classified as OS Command Injection [CWE-78] and is fixed in release 0.x.y-security-1. Exploitation requires local access but no privileges or user interaction, yielding high impact to confidentiality, integrity, and availability.
Critical Impact
A local attacker can bypass the plugin-shell command safety filter and execute arbitrary commands on the host running the JunoClaw agent runtime.
Affected Products
- JunoClaw agentic AI platform prior to 0.x.y-security-1
- plugin-shell component within the JunoClaw runtime
- junoclaw-runtime crate exposing shell execution paths
Discovery Timeline
- 2026-05-12 - CVE-2026-43991 published to NVD
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-43991
Vulnerability Analysis
JunoClaw's plugin-shell component implemented a command-safety check using substring matching against a blocklist. The check operated on the raw, unparsed command string rather than on the first tokenized argument representing the executable. This design allows attackers to craft argument constructions that hide a disallowed binary from substring inspection while still reaching the shell for execution. The companion advisory referenced in the upstream notes compounds the issue by enabling reachable execution paths once the filter is bypassed.
Root Cause
The root cause is improper neutralization of special elements used in an OS command [CWE-78]. Because the safety check inspected the raw string, semantically equivalent but textually distinct invocations evaded the blocklist. A correct implementation requires parsing the command into argv tokens and validating the resolved executable against an allowlist, not a denylist of substrings.
Attack Vector
The attack vector is local. An adversary who can submit commands to the JunoClaw agent — for example, via plugin inputs, prompts routed to plugin-shell, or other runtime entry points — supplies a crafted command that evades substring matching. The runtime then dispatches the command to the shell, resulting in arbitrary command execution under the privileges of the JunoClaw process.
// Security patch: Cargo.lock dependency additions for plugin-shell
"junoclaw-core",
"serde",
"serde_json",
+ "shell-words",
+ "tempfile",
"tokio",
"tracing",
]
Source: GitHub Commit 2bc54f6
The patch introduces the shell-words crate to parse commands into argv tokens before validation, replacing raw-string substring checks. The tempfile dependency supports safer scratch-file handling within the corrected execution paths.
# crates/junoclaw-runtime/Cargo.toml — opt-in feature gate
edition = "2021"
description = "JunoClaw agent execution runtime"
+[features]
+default = []
+# Forwards `unsafe-shell` to plugin-shell. Off by default; enabling adds the
+# shell + Python execution code paths to the binary. See plugin-shell's
+# Cargo.toml and SECURITY.md for the full opt-in semantics.
+unsafe-shell = ["plugin-shell/unsafe-shell"]
+
[dependencies]
junoclaw-core = { path = "../junoclaw-core" }
plugin-llm = { path = "../../plugins/plugin-llm" }
Source: GitHub Commit 2bc54f6
The fix also gates shell and Python execution behind a non-default unsafe-shell Cargo feature. Builds that omit the feature exclude the dangerous code paths entirely.
Detection Methods for CVE-2026-43991
Indicators of Compromise
- Unexpected child processes spawned by the JunoClaw runtime or plugin-shell worker.
- Shell invocations containing argument constructions that resolve to binaries outside any documented allowlist.
- Outbound network connections, file writes, or credential access originating from the JunoClaw process tree.
Detection Strategies
- Audit process ancestry for shells (/bin/sh, bash, cmd.exe) parented by JunoClaw or plugin-shell binaries.
- Compare executed commands against the post-patch allowlist; flag any executable not on the list.
- Hunt for usage of the unsafe-shell Cargo feature in deployed binaries via build provenance and SBOM data.
Monitoring Recommendations
- Enable command-line argument logging on hosts running JunoClaw and forward to a centralized log store.
- Alert on writes to /tmp or other scratch paths followed by execution from the JunoClaw process.
- Track plugin input telemetry for commands containing shell metacharacters or chained operators.
How to Mitigate CVE-2026-43991
Immediate Actions Required
- Upgrade JunoClaw to 0.x.y-security-1 or later on all hosts running the agent runtime.
- Rebuild downstream binaries without the unsafe-shell Cargo feature unless explicitly required.
- Inventory deployed JunoClaw versions and confirm none predate the security release.
Patch Information
The vendor released the fix in version 0.x.y-security-1. The patch replaces raw-string substring checks with shell-words tokenization and an allowlist-only validation model. It also relocates shell and Python execution behind the opt-in unsafe-shell Cargo feature. See the GitHub Security Advisory GHSA-fvq5-79h6-952c and the GitHub Commit 2bc54f6 for full details.
Workarounds
- Disable or remove plugin-shell from JunoClaw deployments that do not require shell execution.
- Build the runtime without the unsafe-shell feature to exclude shell and Python execution code paths.
- Restrict who can submit prompts or plugin inputs to JunoClaw agents through network and identity controls.
# Build JunoClaw runtime without the unsafe-shell feature
cargo build --release --no-default-features -p junoclaw-runtime
# Verify the installed version meets or exceeds the security release
junoclaw --version # expect 0.x.y-security-1 or later
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
