AI Sec Watch: A Security Intelligence Platform for AI Systems

Luu, T.J.

CVE-2026-43992: JunoClaw is an agentic AI platform built on Juno Network. Prior to 0.x.y-security-1, every MCP write tool (send_tokens,

criticalvulnerabilityLLM-Specific

security

Source: NVD/CVE DatabaseMay 12, 2026CVE-2026-43992

Summary

CVE-2026-43992 is a vulnerability in JunoClaw, an agentic AI platform (a system where AI makes decisions and takes actions) built on Juno Network. Before version 0.x.y-security-1, the platform's MCP write tools (functions that send tokens or execute contracts) required users to provide a BIP-39 seed (a cryptographic key used to generate wallet credentials) as a plain text parameter, which exposed this sensitive information to logs, telemetry, and other systems between the AI provider and the MCP process.

Solution / Mitigation

This vulnerability is fixed in version 0.x.y-security-1. Users should upgrade to this version.

Vulnerability Details

CVSS Score

9.8(critical)

EPSS (30-day exploit probability)

EPSS: 0.0%

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

network

Attack Complexity

low

Privileges Required

none

User Interaction

none

Disclosure Date

May 12, 2026

Classification

Attack Type

PII LeakageData Extraction

Attack SophisticationTrivial

Impact (CIA+S)

confidentiality

Taxonomy References

CWE (Weakness Type)

CWE-200 CWE-312 CWE-522 CWE-532

Affected Vendors

Related Issues

critical

CVE-2025-45150: Insecure permissions in LangChain-ChatGLM-Webui commit ef829 allows attackers to arbitrarily view and download sensitive

Similar attackNVD/CVE Database

high

CVE-2025-54868: LibreChat is a ChatGPT clone with additional features. In versions 0.0.6 through 0.7.7-rc1, an exposed testing endpoint

Similar attack

Monthly digest — independent AI security research

Original source: https://nvd.nist.gov/vuln/detail/CVE-2026-43992

First tracked: May 12, 2026 at 02:07 PM

Classified by LLM (prompt v3) · confidence: 92%