CVE-2026-56402

MEDIUM 6.5

NanoClaw < 2.1.17 - Privilege Escalation via Unverified Approval Response Handler

CVSS Score

6.5

EPSS Score

0.0%

EPSS Percentile

0th

NanoClaw before 2.1.17 contains a privilege escalation vulnerability in the handleApprovalsResponse function that fails to verify responder role authorization. Attackers with a valid questionId can approve or reject privileged actions like package installation by submitting approval response payloads without proper role validation.

CWE	CWE-862
Vendor	nanocoai
Product	nanoclaw
Published	Jun 23, 2026

Stay Ahead of the Next One

Get instant alerts for nanocoai nanoclaw

Be the first to know when new medium vulnerabilities affecting nanocoai nanoclaw are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

None

Affected Versions

nanocoai / nanoclaw

0 < 2.1.17

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/nanocoai/nanoclaw/pull/2478 github.com: https://github.com/nanocoai/nanoclaw/commit/6227bd1a5b016fb1eb76411bb6681b4c924a51a0 vulncheck.com: https://www.vulncheck.com/advisories/nanoclaw-privilege-escalation-via-unverified-approval-response-handler

Credits

Chia Min Jun Lennon