AI Sec Watch: A Security Intelligence Platform for AI Systems

Luu, T.J.

CVE-2026-43989: JunoClaw is an agentic AI platform built on Juno Network. Prior to 0.x.y-security-1, the upload_wasm MCP tool accepted a

highvulnerability

security

Source: NVD/CVE DatabaseMay 12, 2026CVE-2026-43989

Summary

JunoClaw, an agentic AI platform (a system where AI makes decisions and takes actions) built on Juno Network, had a vulnerability in its upload_wasm MCP tool (a component that lets the AI upload compiled code). The tool accepted file paths from the AI without checking if the path was valid, if it pointed to unintended locations through shortcuts, or if the file was the right type, allowing it to upload any file on the system. This was fixed in version 0.x.y-security-1.

Solution / Mitigation

Update to version 0.x.y-security-1, which contains the fix for this vulnerability.

Vulnerability Details

CVSS Score

8.5(high)

EPSS (30-day exploit probability)

EPSS: 0.0%

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:L

Attack Vector

local

Attack Complexity

low

Privileges Required

none

User Interaction

required

Disclosure Date

May 12, 2026

Classification

Attack Type

Supply Chain

Attack SophisticationModerate

Impact (CIA+S)

confidentialityintegrity

Taxonomy References

CWE (Weakness Type)

CWE-20 CWE-22 CWE-59 CWE-73

Affected Vendors

Related Issues

medium

CVE-2026-34371: LibreChat is a ChatGPT clone with additional features. Prior to 0.8.4, LibreChat trusts the name field returned by the e

Similar attackNVD/CVE Database

high

Anthropic accuses Chinese AI labs of mining Claude as US debates AI chip exports

Similar attack

Monthly digest — independent AI security research

Original source: https://nvd.nist.gov/vuln/detail/CVE-2026-43989

First tracked: May 12, 2026 at 02:07 PM

Classified by LLM (prompt v3) · confidence: 85%