CVE-2026-56694

MEDIUM NVD

CVSS Score 5.4

Severity MEDIUM

Published Jun 23, 2026

Vendor unknown

Description

NanoClaw before 2.1.0 contains a privilege escalation vulnerability in the channel-registration approval flow where handleChannelApprovalResponse fails to validate admin privileges over target agent groups. Scoped admins can submit forged or stale connect callback values to wire messaging channels into out-of-scope agent groups, exposing unauthorized groups to unapproved channels and enabling unauthorized observation or control of restricted agent group activity.

References

https://github.com/nanocoai/nanoclaw/commit/0eef8fafdd7c475ab5fd8d37ea566a81e74cd834
https://github.com/nanocoai/nanoclaw/pull/2566
https://www.vulncheck.com/advisories/nanoclaw-privilege-escalation-via-forged-channel-approval-callback