Missing Authorization Vulnerability in Sipeed PicoClaw Product
CVE-2026-15320
Key Information:
Badges
What is CVE-2026-15320?
A significant vulnerability exists in Sipeed PicoClaw versions up to 0.2.9, specifically impacting the rt.ReloadConfig function located in pkg/channels/pico/pico.go. By manipulating the message.send argument, attackers can bypass authorization checks, allowing unauthorized access to critical functionalities. This vulnerability can be exploited remotely, raising serious security concerns for any systems utilizing this product. The exploit has been made public, and users are urged to take immediate action to secure their implementations, given that related issues on platforms like GitHub have been closed due to inactivity.
Affected Version(s)
PicoClaw 0.2.0
PicoClaw 0.2.1
PicoClaw 0.2.2
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
References
CVSS V4
Timeline
- ๐ก
Public PoC available
- ๐พ
Exploit known to exist
Vulnerability published
Vulnerability Reserved
