CVE-2026-7875 Overview
CVE-2026-7875 is a path traversal vulnerability in NanoClaw, an agent runtime that mediates message exchange between containerized workloads and a host. The flaw resides in outbound attachment handling and outbox cleanup logic. A compromised or prompt-injected container can supply crafted messages_out.id and content.files values, or plant symlinked outbox files, to escape the intended outbox directory. Successful exploitation results in host-side reads of arbitrary files and, in some configurations, recursive deletion of paths outside the cleanup target. The issue is tracked under CWE-22 (Improper Limitation of a Pathname to a Restricted Directory).
Critical Impact
A prompt-injected or compromised container can read arbitrary host files and trigger recursive deletion of host paths outside the outbox boundary.
Affected Products
- NanoClaw (qwibitai/nanoclaw) — outbound attachment handling component
- NanoClaw outbox cleanup subsystem
- Container deployments relying on NanoClaw host/container filesystem boundary
Discovery Timeline
- 2026-05-06 - CVE-2026-7875 published to NVD
- 2026-05-06 - Last updated in NVD database
Technical Details for CVE-2026-7875
Vulnerability Analysis
NanoClaw exposes an outbox directory used to transfer attachments produced inside a container to the host. The runtime trusts container-supplied messages_out.id and content.files values when constructing host-side filesystem paths. Because these inputs are not normalized or constrained to the outbox root, a container can include traversal sequences such as ../ or absolute paths to reference arbitrary host locations. The host then reads those locations as if they were attachments, returning their contents through the message exchange path.
The outbox cleanup routine compounds the issue. After a message is processed, NanoClaw recursively removes files associated with the outbox entry. If a container plants a symbolic link inside its outbox or references a path outside the outbox root through the same crafted identifiers, cleanup follows the link and deletes targets on the host filesystem. The vulnerability requires local access with low privileges and no user interaction, which matches typical container-to-host adjacency.
Root Cause
The runtime fails to canonicalize and contain attacker-controlled path components within the designated outbox directory. Both the read path and the cleanup path operate on joined paths without verifying that the resolved target remains a descendant of the outbox root, and without rejecting symbolic links that escape the boundary.
Attack Vector
An attacker who controls or prompt-injects an agent running inside a NanoClaw-managed container submits a messages_out payload with a manipulated id or content.files entry, or writes a symbolic link into the outbox. NanoClaw then reads or deletes the resolved host path on behalf of the container, crossing the intended trust boundary.
No verified exploit code is available. Implementation details are documented in the GitHub Pull Request #2001 and the GitHub Commit Update.
Detection Methods for CVE-2026-7875
Indicators of Compromise
- Host-side file reads originating from the NanoClaw process targeting paths outside the configured outbox root.
- messages_out payloads containing id or content.files values with traversal sequences such as ../, encoded variants, or absolute paths.
- Symbolic links present in container-controlled outbox directories that resolve to host paths such as /etc, /root, or /var.
- Unexpected recursive deletions on the host filesystem correlated with NanoClaw outbox cleanup events.
Detection Strategies
- Monitor NanoClaw process file access with auditd or eBPF and alert when resolved paths fall outside the outbox root.
- Inspect message payloads for traversal patterns in messages_out.id and content.files fields before they reach the runtime.
- Track creation of symlinks inside outbox directories whose targets resolve outside the outbox boundary.
Monitoring Recommendations
- Enable filesystem audit rules covering sensitive host directories adjacent to the NanoClaw working tree.
- Forward NanoClaw runtime logs and host audit events to a central analytics platform for correlation with container activity.
- Alert on cleanup operations that delete files outside the expected outbox path prefix.
How to Mitigate CVE-2026-7875
Immediate Actions Required
- Upgrade NanoClaw to the version containing the fix introduced in commit 7814e45.
- Audit existing outbox directories for symbolic links and remove any link whose target resolves outside the outbox root.
- Review recent host filesystem deletions and file reads attributable to NanoClaw to identify potential prior exploitation.
Patch Information
The upstream fix is delivered through GitHub Pull Request #2001 and merged in commit 7814e45570edf0024a1a5c2ba9fbc9cb3a49f7f7. The patch tightens path handling in outbound attachment processing and outbox cleanup so that resolved paths must remain within the configured outbox root.
Workarounds
- Run NanoClaw under a dedicated low-privilege user that cannot read sensitive host files or write to host directories outside the outbox.
- Mount the outbox directory on a separate filesystem with nosymfollow or equivalent to prevent symlink escapes during cleanup.
- Apply mandatory access control profiles such as AppArmor or SELinux to restrict NanoClaw to the outbox path tree.
- Validate messages_out.id and content.files at an ingress proxy, rejecting values containing path separators or traversal sequences.
# Configuration example: restrict NanoClaw filesystem access with systemd
[Service]
User=nanoclaw
Group=nanoclaw
ReadWritePaths=/var/lib/nanoclaw/outbox
ProtectSystem=strict
ProtectHome=true
NoNewPrivileges=true
RestrictSUIDSGID=true
# Prevent symlink-based escapes during outbox cleanup
TemporaryFileSystem=/var/lib/nanoclaw/outbox:nosymfollow
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
