Authorization Bypass Vulnerability in Poco AI Poco-Claw Workspace API
CVE-2026-15622

6.9MEDIUM

Key Information:

Vendor

Poco-ai

Status
Vendor
CVE Published:
14 July 2026

Badges

๐Ÿ‘พ Exploit Exists๐ŸŸก Public PoC

What is CVE-2026-15622?

A vulnerability exists in the Poco AI Poco-Claw Workspace API that allows an unauthorized user to bypass intended access controls. The issue lies within the function get_workspace_file located in executor_manager/app/api/v1/workspace.py. This flaw arises when the user_id argument is manipulated, enabling a remote attacker to exploit the flaw. It is crucial for users of the affected products to upgrade to versions that incorporate the provided patch to mitigate potential security risks.

Affected Version(s)

poco-claw 0.5.0

poco-claw 0.5.1

poco-claw 0.5.2

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

References

CVSS V4

Score:
6.9
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • ๐ŸŸก

    Public PoC available

  • ๐Ÿ‘พ

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

Credit

Eric-b (VulDB User)
.