CVE-2026-16015 in poco-claw
Summary
by MITRE • 07/17/2026
A vulnerability was determined in poco-ai poco-claw up to 0.5.4. This vulnerability affects the function create_task of the file executor_manager/app/api/v1/tasks.py of the component executor_manager API. Executing a manipulation can lead to missing authentication. The exploit has been publicly disclosed and may be utilized. Upgrading to version 0.5.7 is able to resolve this issue. This patch is called 67fcc88505c57f77d3fcf04eb5b89425b10cbf48. It is recommended to upgrade the affected component.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 07/17/2026
This vulnerability resides within the poco-ai poco-claw framework version 0.5.4 and earlier, specifically targeting the executor_manager API component. The flaw manifests in the create_task function located at executor_manager/app/api/v1/tasks.py, representing a critical security weakness that compromises the system's authentication mechanisms. The vulnerability allows for unauthorized manipulation that bypasses proper access controls, potentially enabling malicious actors to execute tasks without proper authorization.
The technical implementation of this vulnerability stems from inadequate input validation and authentication checks within the task creation endpoint. When an attacker crafts specific requests to the create_task function, they can exploit the missing authentication layer to perform operations that should require proper credentials. This represents a classic authentication bypass vulnerability where the system fails to verify the identity of users attempting to create tasks through the API interface.
The operational impact of this vulnerability extends beyond simple unauthorized access, as it could enable attackers to execute arbitrary tasks within the system's infrastructure. This capability poses significant risks to system integrity and data security, particularly in environments where task execution might involve sensitive operations or privileged commands. The publicly disclosed nature of the exploit increases the likelihood of active exploitation, making immediate remediation essential.
According to CWE standards, this vulnerability aligns with CWE-287, which addresses improper authentication issues, and potentially CWE-352, addressing cross-site request forgery concerns that could arise from insecure API endpoints. The ATT&CK framework would categorize this under privilege escalation techniques through API abuse, specifically targeting the execution of unauthorized commands within the system.
The recommended mitigation involves upgrading to version 0.5.7, which includes the patch identified by commit hash 67fcc88505c57f77d3fcf04eb5b89425b10cbf48. This upgrade addresses the authentication gap in the create_task function and restores proper access controls for task creation operations. Organizations should prioritize this update to prevent potential exploitation of the vulnerability, especially given its public disclosure status. The patch likely implements proper authentication checks and input validation mechanisms that ensure only authorized users can create tasks through the API endpoint.
Security teams should also conduct thorough assessments of their current deployments to identify any instances running vulnerable versions, as well as monitor for potential exploitation attempts in their network traffic logs. Additionally, implementing additional security controls such as API rate limiting and enhanced monitoring around task creation endpoints can provide defense-in-depth measures against potential abuse of this vulnerability.