إرسال #852942: Sipeed PicoClaw <= 0.2.9 Missing Authorization (CWE-862)المعلومات

عنوانSipeed PicoClaw <= 0.2.9 Missing Authorization (CWE-862)
الوصف# Technical Details A missing authorization vulnerability exists in the Pico WebSocket command path in `pkg/channels/pico/pico.go`, `pkg/agent/agent_command.go`, and `pkg/commands/cmd_reload.go` of PicoClaw. The application fails to restrict the privileged `/reload` command to administrative channels. Any authenticated Pico WebSocket client can send normal chat content `/reload`, which is routed into the command executor and triggers the live gateway reload callback. # Vulnerable Code File: `pkg/channels/pico/pico.go` Method: `handleMessageSend` Why: Accepts authenticated Pico `message.send` content and forwards it into the generic inbound agent pipeline. File: `pkg/agent/agent_command.go` Method: command dispatch path Why: Routes any slash-prefixed inbound chat content into the command executor without checking privilege. File: `pkg/commands/cmd_reload.go` Method: `reloadCommand` Why: Invokes `rt.ReloadConfig()` without channel, role, or admin authorization. # Reproduction 1. Run PicoClaw <= 0.2.9 with the Pico channel enabled. 2. Connect to `/pico/ws` using a valid Pico token. 3. Send a `message.send` payload whose content is `/reload`. 4. Observe a response such as `Config reload triggered!`. 5. Confirm unauthenticated direct HTTP `POST /reload` remains protected with `401`, showing the chat path bypasses the intended management authorization. # Impact - Lets lower-privileged authenticated Pico chat clients invoke an administrative runtime action. - Can disrupt availability by repeatedly reloading gateway configuration. - Can interfere with administrator changes and runtime state.
المصدر⚠️ https://github.com/sipeed/picoclaw/issues/3071
المستخدم
 Eric-i (UID 97584)
ارسال09/06/2026 01:28 PM (1 شهر منذ)
الاعتدال09/07/2026 08:07 PM (1 month later)
الحالةتمت الموافقة
إدخال VulDB377260 [Sipeed PicoClaw حتى 0.2.9 pico.go rt.ReloadConfig message.send تجاوز الصلاحيات]
النقاط20

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!