Authorization Bypass Vulnerability in Poco AI Poco-Claw Workspace API
CVE-2026-15622
Key Information:
Badges
What is CVE-2026-15622?
A vulnerability exists in the Poco AI Poco-Claw Workspace API that allows an unauthorized user to bypass intended access controls. The issue lies within the function get_workspace_file located in executor_manager/app/api/v1/workspace.py. This flaw arises when the user_id argument is manipulated, enabling a remote attacker to exploit the flaw. It is crucial for users of the affected products to upgrade to versions that incorporate the provided patch to mitigate potential security risks.
Affected Version(s)
poco-claw 0.5.0
poco-claw 0.5.1
poco-claw 0.5.2
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
References
CVSS V4
Timeline
- ๐ก
Public PoC available
- ๐พ
Exploit known to exist
Vulnerability published
Vulnerability Reserved
