Technical description
NanoClaw, an agentic container framework, contains a host/container filesystem boundary vulnerability in outbound attachment handling and outbox cleanup. A compromised or prompt-injected container can read files outside the intended outbox directory by supplying crafted messages_out.id and content.files values or creating symbolic links, achieving arbitrary host filesystem read and write access. The vulnerability was disclosed May 6, 2026, with CVSS 8.8.
Attack vector
Path traversal via specially-crafted message metadata or symbolic links in the container outbox. An attacker controlling container inputs (e.g., via prompt injection or direct compromise) can reference paths outside the container boundary, exploiting insufficient path sanitization during attachment processing. No authentication required if the attacker can influence container execution.
Affected systems
NanoClaw versions prior to the May 6, 2026 patch commit (7814e45). Deployments where untrusted code or prompts can influence containerized agent behavior are at highest risk. Affects environments using NanoClaw for agentic workflows with file-system interaction.
Mitigation
Upgrade to NanoClaw commit 7814e45 or later from the qwibitai/nanoclaw GitHub repository. Organizations deploying container-based agents should audit filesystem isolation boundaries and validate that agent frameworks enforce strict path sanitization when handling user-supplied or agent-generated file references.