CVE-2026-43992: JunoClaw is an agentic AI platform built on Juno Network. Prior to 0.x.y-security-1, every MCP write tool (send_tokens,
Summary
CVE-2026-43992 is a vulnerability in JunoClaw, an agentic AI platform (a system where AI makes decisions and takes actions) built on Juno Network. Before version 0.x.y-security-1, the platform's MCP write tools (functions that send tokens or execute contracts) required users to provide a BIP-39 seed (a cryptographic key used to generate wallet credentials) as a plain text parameter, which exposed this sensitive information to logs, telemetry, and other systems between the AI provider and the MCP process.
Solution / Mitigation
This vulnerability is fixed in version 0.x.y-security-1. Users should upgrade to this version.
Vulnerability Details
9.8(critical)
EPSS: 0.0%
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
network
low
none
none
May 12, 2026
Classification
Affected Vendors
Related Issues
GHSA-382c-vx95-w3p5: Gittensory: Missing contributor-scoped access control on profile endpoint and MCP tool leaks miner financial data
CVE-2025-45150: Insecure permissions in LangChain-ChatGLM-Webui commit ef829 allows attackers to arbitrarily view and download sensitive
Original source: https://nvd.nist.gov/vuln/detail/CVE-2026-43992
First tracked: May 12, 2026 at 02:07 PM
Classified by LLM (prompt v3) · confidence: 92%