CVE-2026-9452 Overview
CVE-2026-9452 is an OS command injection vulnerability in FoundDream miniclawd up to commit 2d65665046e2222eeea76cafc8570ed546a8c125. The flaw resides in the ExecTool.execute function within /src/tools/exec.ts, where unsanitized input is passed to operating system command handlers. Attackers can exploit this issue remotely without authentication or user interaction. The exploit has been publicly disclosed, increasing the risk of opportunistic abuse. The project does not use formal versioning, so affected and unaffected releases cannot be enumerated. The maintainer was notified through an issue report but has not responded at the time of disclosure.
Critical Impact
Remote, unauthenticated attackers can inject arbitrary operating system commands through ExecTool.execute, leading to command execution on the host running miniclawd.
Affected Products
- FoundDream miniclawd up to commit 2d65665046e2222eeea76cafc8570ed546a8c125
- The ExecTool.execute function in /src/tools/exec.ts
- Product does not use versioning; no fixed release is identified
Discovery Timeline
- 2026-05-25 - CVE-2026-9452 published to NVD
- 2026-05-26 - Last updated in NVD database
Technical Details for CVE-2026-9452
Vulnerability Analysis
The vulnerability is classified as OS command injection [CWE-77]. It exists in the ExecTool.execute function defined in /src/tools/exec.ts of the miniclawd project. The function accepts input that is incorporated into an operating system command without adequate neutralization of shell metacharacters or argument boundaries. An attacker reachable over the network can craft input that breaks out of the intended command context and appends arbitrary commands. Because miniclawd exposes the tool interface to remote callers, the attack does not require local access or prior authentication. The EPSS probability of 1.306% (80th percentile) indicates exploitation interest above the baseline of disclosed issues.
Root Cause
The root cause is the construction of an OS command using attacker-controlled data without using safe APIs such as parameterized process spawning or strict allow-list validation. Passing user input to a shell or to functions that interpret shell syntax allows characters like ;, &&, |, and backticks to alter command semantics. The absence of input validation in ExecTool.execute makes injection trivial.
Attack Vector
The attack vector is network-based and requires no privileges or user interaction. An attacker submits a crafted request that reaches the ExecTool.execute entry point and supplies a payload containing shell metacharacters. The injected commands execute under the privileges of the miniclawd process. The exploit has been disclosed publicly through the project's GitHub issue tracker. Refer to the GitHub Issue Discussion and the VulDB Vulnerability #365433 for additional technical context.
No verified exploit code is reproduced here. Public references describe payloads that
append additional shell commands to arguments processed by ExecTool.execute. See the
GitHub issue and VulDB entry linked above for proof-of-concept details.
Detection Methods for CVE-2026-9452
Indicators of Compromise
- Unexpected child processes spawned by the Node.js runtime hosting miniclawd, such as /bin/sh, bash, or system utilities invoked outside normal workflow.
- Outbound network connections initiated from the miniclawd host to unfamiliar destinations shortly after tool invocation.
- Log entries to ExecTool.execute containing shell metacharacters (;, |, &&, backticks, $()) in input fields.
Detection Strategies
- Inspect application logs for requests that reach ExecTool.execute with payloads containing command separators or substitution syntax.
- Monitor process lineage on hosts running miniclawd and alert when the parent process is the Node.js runtime spawning interactive shells.
- Apply runtime behavioral analytics to flag deviations from the normal command set executed by the application.
Monitoring Recommendations
- Forward miniclawd access logs and host process telemetry to a centralized analytics platform for correlation.
- Baseline expected commands invoked by ExecTool.execute and alert on any deviation.
- Track outbound DNS and HTTP requests from servers hosting miniclawd to identify post-exploitation callbacks.
How to Mitigate CVE-2026-9452
Immediate Actions Required
- Restrict network access to miniclawd instances using firewall rules or reverse-proxy authentication until a fix is available.
- Disable or remove the ExecTool.execute capability if it is not required for production use.
- Run miniclawd under a low-privilege service account and within a sandbox or container with minimal filesystem and network access.
Patch Information
No official patch is available at the time of disclosure. The maintainer of FoundDream miniclawd was notified via the GitHub Issue Discussion but has not responded. Monitor the FoundDream miniclawd repository for upstream fixes and apply them as soon as they are released.
Workarounds
- Replace shell-based command construction in /src/tools/exec.ts with parameterized process execution APIs that pass arguments as arrays rather than strings.
- Implement strict allow-list validation for any input forwarded to ExecTool.execute, rejecting shell metacharacters.
- Place miniclawd behind an authenticating proxy and limit which clients can invoke tool endpoints.
# Example hardening: run miniclawd as an unprivileged user inside a restricted container
docker run --rm \
--user 10001:10001 \
--read-only \
--cap-drop=ALL \
--network=internal-only \
--name miniclawd \
miniclawd:local
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
