Improper Authentication Mechanism in unitedbyai droidclaw
CVE-2026-10216

6.3MEDIUM

Key Information:

Vendor

Unitedbyai

Status
Droidclaw
Vendor
CVE Published:
1 June 2026

Badges

๐Ÿ‘พ Exploit Exists๐ŸŸก Public PoC

What is CVE-2026-10216?

A security flaw has been identified in the droidclaw product by unitedbyai prior to version 0.5.3. This vulnerability stems from an improper management of authentication attempts, particularly evident in an unknown function located in the server/src/routes/pairing.ts file related to the claim Endpoint. With this issue, an attacker can remotely manipulate authentication processes, posing a security risk by executing numerous, excessive authentication attempts. Although the complexity of the attack is regarded as high, the exploit has unfortunately been made public. The unitedbyai team was notified of this vulnerability through a report but has yet to provide an official resolution.

Affected Version(s)

droidclaw 0.5.0

droidclaw 0.5.1

droidclaw 0.5.2

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2026-10216 - Proof of Concept

References

https://vuldb.com/vuln/367495
vdb-entry
https://vuldb.com/vuln/367495/cti
signaturepermissions-required
https://vuldb.com/cve/CVE-2026-10216
third-party-advisory

CVSS V4

Score:
6.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
High
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • ๐ŸŸก

    Public PoC available

  • ๐Ÿ‘พ

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

Credit

Eric-b (VulDB User)
VulDB CNA Team
.