CVE-2026-43990: JunoClaw is an agentic AI platform built on Juno Network. Prior to 0.x.y-security-1, plugin-shell's run_command wrapped
Summary
JunoClaw, an agentic AI platform (a system where AI agents can perform tasks autonomously) built on Juno Network, had a vulnerability in its plugin-shell component where commands supplied by agents were wrapped in shell interpreters without proper sanitization. This allowed shell metacharacters (special characters like pipes or semicolons that have meaning to the shell) in agent-supplied arguments to be interpreted as actual commands rather than plain text, potentially letting attackers run unintended commands. The vulnerability was fixed in version 0.x.y-security-1.
Solution / Mitigation
Update JunoClaw to version 0.x.y-security-1 or later, where this vulnerability is fixed.
Vulnerability Details
8.4(high)
EPSS: 0.0%
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
local
low
none
none
May 12, 2026
Classification
Affected Vendors
Related Issues
Original source: https://nvd.nist.gov/vuln/detail/CVE-2026-43990
First tracked: May 12, 2026 at 02:07 PM
Classified by LLM (prompt v3) · confidence: 85%