Vulnerability in JunoClaw AI Platform Exposes BIP-39 Seed in Tool Calls
CVE-2026-43992

9.8CRITICAL

Key Information:

Vendor

Dragonmonk111

Status
Junoclaw
Vendor
CVE Published:
12 May 2026

What is CVE-2026-43992?

The JunoClaw AI platform, built on the Juno Network, suffers from a vulnerability that allows sensitive data, specifically BIP-39 seeds, to be directly exposed through tool-call parameters. Tools such as send_tokens, execute_contract, instantiate_contract, upload_wasm, and ibc_transfer, prior to version 0.x.y-security-1, transmitted the 'mnemonic: string' openly in their JSON tool-call structures. This oversight means that any transport, log, or telemetry surfaces could inadvertently store this sensitive information, placing users at risk. To safeguard against this vulnerability, users are urged to upgrade to version 0.x.y-security-1 or later.

Affected Version(s)

junoclaw < v0.x.y-security-1

References

https://github.com/Dragonmonk111/junoclaw/security/adviso...
x_refsource_CONFIRM
https://github.com/Dragonmonk111/junoclaw/commit/339701e
x_refsource_MISC
https://github.com/Dragonmonk111/junoclaw/releases/tag/v0...
x_refsource_MISC

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.