CVE-2026-43993: JunoClaw AI Platform SSRF Vulnerability

CVE-2026-43993 Overview

CVE-2026-43993 is a Server-Side Request Forgery (SSRF) vulnerability [CWE-918] in JunoClaw, an agentic AI platform built on the Juno Network. The flaw resides in the WAVS bridge component, where the computeDataVerify function invokes fetch() against agent-supplied URLs without validating the scheme, port, or resolved IP address. An attacker controlling agent input can coerce the server into issuing arbitrary outbound HTTP requests, including to internal network resources and cloud metadata endpoints. The maintainers fixed the issue in release 0.x.y-security-1.

Critical Impact

Unauthenticated attackers can pivot through the WAVS bridge to reach internal services and metadata endpoints, exposing confidential data and degrading availability.

Affected Products

• JunoClaw agentic AI platform (WAVS bridge component)
• All versions prior to 0.x.y-security-1
• Deployments using wavs/bridge/src/local-compute.ts with unguarded fetch() calls

Discovery Timeline

• 2026-05-12 - CVE-2026-43993 published to the National Vulnerability Database
• 2026-05-13 - Last updated in NVD database

Technical Details for CVE-2026-43993

Vulnerability Analysis

The WAVS bridge in JunoClaw exposes a verification path named computeDataVerify that retrieves remote data referenced by autonomous agents. The handler accepts URLs supplied through the agent interface and passes them directly to the Node.js fetch() API. Because no allowlist, scheme check, port restriction, or DNS resolution validation is performed, the bridge will follow URLs that target loopback addresses, private RFC1918 ranges, link-local IPs such as 169.254.169.254, or non-HTTP schemes accepted by the runtime.

This behavior matches the SSRF pattern described in [CWE-918]. The attacker does not need credentials on the bridge itself; they only need to influence agent input, which is the normal mode of operation for an agentic platform. Successful exploitation can leak cloud metadata tokens, reach internal control planes, and amplify requests against backend services.

Root Cause

The root cause is missing input validation on URLs passed to outbound HTTP calls. computeDataVerify trusted agent-supplied destinations and delegated network policy to the underlying runtime, which by default permits requests to any reachable host.

Attack Vector

Exploitation is network-based and requires user interaction in the form of an agent action that triggers computeDataVerify. The attacker crafts a malicious URL, submits it through the agent workflow, and the bridge issues the request from its own network position. Responses can be reflected back to the attacker through the verification result or observed via side channels such as timing and error messages.

// Patch from wavs/bridge/src/local-compute.ts
  */
 
 import { createHash } from "crypto";
+import { safeFetch } from "./utils/ssrf-guard.js";
 
 // Must match: wavs/src/lib.rs → compute_attestation_hash()
 const COMPONENT_ID = "junoclaw-wavs-v0.1.0";

Source: GitHub Commit a168608. The fix introduces a safeFetch wrapper in ./utils/ssrf-guard.js that replaces direct fetch() calls and enforces scheme, port, and resolved-IP validation before issuing the outbound request.

Detection Methods for CVE-2026-43993

Indicators of Compromise

• Outbound HTTP requests from the WAVS bridge host to private address ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) or loopback 127.0.0.0/8.
• Bridge-originated requests to cloud metadata endpoints such as 169.254.169.254 or metadata.google.internal.
• Agent inputs containing URLs with non-HTTP schemes (file://, gopher://) or unusual ports reaching computeDataVerify.

Detection Strategies

• Instrument the JunoClaw bridge process to log every URL passed to fetch() along with the resolved IP and originating agent identifier.
• Compare outbound destinations against an allowlist of expected JunoClaw and Juno Network endpoints, flagging deviations.
• Hunt in proxy and VPC flow logs for connections initiated by the bridge service account that terminate on internal CIDRs.

Monitoring Recommendations

• Forward bridge application logs and network telemetry to a centralized data lake for correlation with agent activity.
• Alert on first-seen destinations from the bridge host and on any successful connections to metadata service IPs.
• Track the version string junoclaw-wavs-v0.1.0 across the fleet to identify hosts still running pre-patch code.

How to Mitigate CVE-2026-43993

Immediate Actions Required

• Upgrade JunoClaw to release 0.x.y-security-1 or later, which includes the safeFetch SSRF guard.
• Audit recent agent activity for URLs targeting internal hosts, metadata services, or unusual ports.
• Rotate any credentials, tokens, or instance metadata that may have been exposed through bridge-issued requests.

Patch Information

The fix is published in the v0.x.y-security-1 release and described in GHSA-q545-mvjf-q9pg. The code change in commit a168608 replaces direct fetch() usage in computeDataVerify with the new safeFetch helper that validates scheme, port, and resolved IP.

Workarounds

• Restrict egress from the bridge host with a firewall policy that denies traffic to RFC1918 ranges, loopback, and link-local addresses.
• Route bridge outbound traffic through an HTTP proxy that enforces a destination allowlist.
• Disable or gate the computeDataVerify code path until the patched release can be deployed.

# Example egress restriction using iptables on the WAVS bridge host
iptables -A OUTPUT -m owner --uid-owner junoclaw -d 127.0.0.0/8 -j REJECT
iptables -A OUTPUT -m owner --uid-owner junoclaw -d 10.0.0.0/8 -j REJECT
iptables -A OUTPUT -m owner --uid-owner junoclaw -d 172.16.0.0/12 -j REJECT
iptables -A OUTPUT -m owner --uid-owner junoclaw -d 192.168.0.0/16 -j REJECT
iptables -A OUTPUT -m owner --uid-owner junoclaw -d 169.254.0.0/16 -j REJECT