| Title | Sipeed PicoClaw <= 0.2.9 Incorrect Authorization (CWE-863) |
|---|
| Description | # Technical Details
An authorization bypass exists in the MQTT inbound authorization flow in `pkg/channels/mqtt/mqtt.go` and `pkg/channels/base.go` of PicoClaw.
The application fails to authenticate that the MQTT topic `{client_id}` belongs to the real sender. `clientIDFromTopic` extracts the attacker-controlled client identifier from the topic path, and `handleInbound` stores it into `InboundContext.SenderID`. The common channel authorization layer then performs raw allowlist matching against this untrusted `SenderID`.
# Vulnerable Code
File: `pkg/channels/mqtt/mqtt.go`
Method: `clientIDFromTopic`, `handleInbound`
Why: Extracts `{client_id}` directly from the MQTT topic and forwards it as sender identity.
File: `pkg/channels/base.go`
Method: `IsAllowedSender` / inbound allowlist handling
Why: Falls back to raw string matching on `InboundContext.SenderID` when no authenticated `SenderInfo` is supplied.
# Reproduction
1. Configure MQTT with `allow_from` containing a trusted client identifier.
2. Connect or publish through the MQTT channel using a topic whose `{client_id}` segment is set to the trusted identifier.
3. Send a message from an untrusted MQTT client.
4. Observe that PicoClaw treats the topic-derived value as trusted sender identity and accepts the inbound message.
# Impact
- Bypasses MQTT channel sender allowlists.
- Allows untrusted MQTT publishers to impersonate allowlisted client identifiers.
- Can expose the agent runtime to unauthorized prompt injection, tool invocation, or downstream automation. |
|---|
| Source | ⚠️ https://github.com/sipeed/picoclaw/issues/3068 |
|---|
| User | Eric-d (UID 96861) |
|---|
| Submission | 06/09/2026 12:15 (1 month ago) |
|---|
| Moderation | 07/09/2026 20:07 (1 month later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 377258 [Sipeed PicoClaw up to 0.2.9 MQTT Channel mqtt.go client_id authorization] |
|---|
| Points | 20 |
|---|