CVE-2026-9453 Overview
CVE-2026-9453 is a command injection vulnerability [CWE-74] in FoundDream miniclawd up to commit 2d65665046e2222eeea76cafc8570ed546a8c125. The flaw resides in the which function within /src/application/skills-loader.ts, part of the SkillsLoader component. Attackers can manipulate the requires.bins argument to inject and execute arbitrary commands. The attack is remotely exploitable and a public exploit is available. Because miniclawd uses a rolling release model, no specific fixed version is published. The maintainer was notified through a GitHub issue but has not responded.
Critical Impact
Remote attackers can inject operating system commands through the requires.bins argument processed by the SkillsLoader component, leading to arbitrary command execution on hosts running affected miniclawd commits.
Affected Products
- FoundDream miniclawd up to commit 2d65665046e2222eeea76cafc8570ed546a8c125
- Component: SkillsLoader (/src/application/skills-loader.ts)
- Affected function: which
Discovery Timeline
- 2026-05-25 - CVE-2026-9453 published to NVD
- 2026-05-26 - Last updated in NVD database
Technical Details for CVE-2026-9453
Vulnerability Analysis
The vulnerability exists in the which function in /src/application/skills-loader.ts. The SkillsLoader component processes a requires.bins argument that is passed without proper sanitization into a command execution context. Attackers control the input and can append shell metacharacters or chained commands that the host process executes. Because the attack vector is the network, exploitation does not require local access or authentication. A public proof of concept is referenced through the project's GitHub issue tracker and the VulDB entry. The EPSS score is 1.306% with a percentile of 80.067, indicating elevated exploitation likelihood relative to most CVEs.
Root Cause
The root cause is improper neutralization of special elements used in a downstream command, classified under [CWE-74]. The which helper concatenates attacker-controlled requires.bins values into a command string instead of using a safe argument-array execution primitive. Any shell metacharacter in requires.bins is interpreted by the underlying shell.
Attack Vector
An attacker triggers the SkillsLoader flow with a crafted skill manifest whose requires.bins field contains injected shell syntax. When miniclawd resolves the binary using the vulnerable which function, the injected payload executes with the privileges of the miniclawd process. No authentication is required, and the operation can be invoked remotely.
No verified exploit code is reproduced here. Refer to the public PoC repository and the VulDB CTI record for technical reproduction details.
Detection Methods for CVE-2026-9453
Indicators of Compromise
- Unexpected child processes spawned by the miniclawd Node.js runtime, particularly shells (sh, bash, cmd.exe) executing chained commands.
- Skill manifests or configuration payloads containing shell metacharacters (;, |, &&, backticks, $()) inside the requires.bins field.
- Outbound network connections from the miniclawd host process to unfamiliar IP addresses shortly after skill loading.
Detection Strategies
- Inspect logs from SkillsLoader for skill load events where requires.bins contains non-alphanumeric characters beyond standard path separators.
- Apply process-lineage detection rules that flag the miniclawd parent spawning interactive shells or scripting interpreters.
- Hunt for file writes, credential access, or reconnaissance commands originating from the miniclawd process tree.
Monitoring Recommendations
- Forward host process, file, and network telemetry from systems running miniclawd to a centralized analytics pipeline.
- Monitor the GitHub repository for new commits past 2d65665046e2222eeea76cafc8570ed546a8c125 that modify /src/application/skills-loader.ts.
- Alert on any modification of skill definition files containing requires.bins values supplied from untrusted sources.
How to Mitigate CVE-2026-9453
Immediate Actions Required
- Restrict network exposure of miniclawd deployments and place them behind authenticated reverse proxies.
- Treat all skill manifests and requires.bins inputs as untrusted; reject values containing shell metacharacters.
- Run miniclawd under a least-privilege service account with no shell access and no write access to sensitive paths.
Patch Information
No official patch is available. The maintainer was notified through GitHub Issue #2 but has not responded. Because miniclawd uses a rolling release model, defenders should track commits in the upstream repository for fixes that replace shell-based binary resolution with safe argument-array execution.
Workarounds
- Fork the project and replace the vulnerable which invocation with a call that passes arguments as an array rather than a concatenated shell string.
- Validate requires.bins against an allowlist of expected binary names using a strict regular expression such as ^[A-Za-z0-9_-]+$.
- Disable or remove the SkillsLoader flow until a verified fix lands upstream.
# Example allowlist validation before invoking the vulnerable resolver
bin="$1"
if [[ ! "$bin" =~ ^[A-Za-z0-9_-]+$ ]]; then
echo "rejected: invalid binary name" >&2
exit 1
fi
command -v "$bin"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
