Command Injection Vulnerability in JunoClaw AI Platform
CVE-2026-43990

8.4HIGH

Key Information:

Vendor

Dragonmonk111

Status
Junoclaw
Vendor
CVE Published:
12 May 2026

What is CVE-2026-43990?

The JunoClaw AI platform, developed by Juno Network, has a command injection vulnerability in its plugin-shell component prior to version 0.x.y-security-1. The issue arises from the way agent-supplied commands are processed, where commands are wrapped in 'sh -c' or 'cmd /C', allowing shell metacharacters to be interpreted as command syntax. This could lead to unauthorized command execution, compromising the security of affected systems. The vulnerability was addressed in version 0.x.y-security-1. Users are advised to update promptly to mitigate risks.

Affected Version(s)

junoclaw < v0.x.y-security-1

References

https://github.com/Dragonmonk111/junoclaw/security/adviso...
x_refsource_CONFIRM
https://github.com/Dragonmonk111/junoclaw/commit/2bc54f6
x_refsource_MISC
https://github.com/Dragonmonk111/junoclaw/releases/tag/v0...
x_refsource_MISC

CVSS V3.1

Score:
8.4
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.