CVE-2026-43992
JunoClaw: MCP write tools exposed raw BIP-39 mnemonic as a tool-call parameter
CVSS Score
9.8
EPSS Score
0.0%
EPSS Percentile
0th
JunoClaw is an agentic AI platform built on Juno Network. Prior to 0.x.y-security-1, every MCP write tool (send_tokens, execute_contract, instantiate_contract, upload_wasm, ibc_transfer, etc.) accepted 'mnemonic: string' as an explicit tool-call parameter. The BIP-39 seed was consequently embedded in the LLM tool-call JSON, exposing it to any transport, log, or telemetry surface in the path between the LLM provider and the MCP process. This vulnerability is fixed in 0.x.y-security-1.
| CWE | CWE-200 CWE-312 CWE-522 CWE-532 |
| Vendor | dragonmonk111 |
| Product | junoclaw |
| Published | May 12, 2026 |
| Last Updated | May 13, 2026 |
Stay Ahead of the Next One
Get instant alerts for dragonmonk111 junoclaw
Be the first to know when new critical vulnerabilities affecting dragonmonk111 junoclaw are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Affected Versions
Dragonmonk111 / junoclaw
< v0.x.y-security-1