CVE-2026-43991: JunoClaw is an agentic AI platform built on Juno Network. Prior to 0.x.y-security-1, substring-based blocklist in plugin
Summary
JunoClaw is an agentic AI platform (a system where AI makes decisions and takes actions automatically) built on Juno Network that had a security flaw in its plugin-shell's command-safety check prior to version 0.x.y-security-1. The vulnerability allowed attackers to bypass the substring-based blocklist (a filter that blocks certain text patterns) by crafting tricky command arguments, which could lead to unauthorized command execution on the host system. The flaw occurred because the safety check looked at the raw command string instead of just the first parsed token (the initial instruction).
Solution / Mitigation
Update to version 0.x.y-security-1 or later, which fixes the vulnerability.
Vulnerability Details
8.4(high)
EPSS: 0.0%
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
local
low
none
none
May 12, 2026
Classification
Affected Vendors
Related Issues
Original source: https://nvd.nist.gov/vuln/detail/CVE-2026-43991
First tracked: May 12, 2026 at 02:07 PM
Classified by LLM (prompt v3) · confidence: 85%