CVE-2026-56693

MEDIUM 5.5

NanoClaw < 2.1.17 - Privilege Escalation via Unauthorized create_agent System Action

CVSS Score

5.5

EPSS Score

0.0%

EPSS Percentile

0th

NanoClaw before 2.1.17 contains a privilege escalation vulnerability in the create_agent delivery-action handler that performs privileged central-database writes without host-side authorization checks. Confined agent containers can invoke create_agent to create arbitrary agent groups, container configurations, and destinations, escalating beyond their intended confinement boundary.

CWE	CWE-602
Vendor	nanocoai
Product	nanoclaw
Published	Jun 23, 2026
Last Updated	Jun 23, 2026

Stay Ahead of the Next One

Get instant alerts for nanocoai nanoclaw

Be the first to know when new medium vulnerabilities affecting nanocoai nanoclaw are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

None

Affected Versions

nanocoai / nanoclaw

0 < 2.1.17

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/nanocoai/nanoclaw/pull/2720 github.com: https://github.com/nanocoai/nanoclaw/commit/ac37ecbfd6b9d14fdfa1598a6412a8ffdbeaef45 vulncheck.com: https://www.vulncheck.com/advisories/nanoclaw-privilege-escalation-via-unauthorized-create-agent-system-action

Credits

Chia Min Jun Lennon