CVE-2026-10281

HIGH

Enderfga claw-orchestrator <= 3.5.5 - Missing Authentication in EmbeddedServer API Endpoint

Title source: llm

Description

A weakness has been identified in Enderfga claw-orchestrator up to 3.5.5. This affects the function EmbeddedServer of the file src/embedded-server.ts of the component API Endpoint. This manipulation causes missing authentication. The attack may be initiated remotely. The exploit has been made available to the public and could be used for attacks. Upgrading to version 3.5.6 mitigates this issue. Patch name: d0b02a800aa0689d9428cc4cc170e0b6589fb2c3. The affected component should be upgraded.

References (8)

Core 8

Core References

Permissions Required, VDB Entry

https://vuldb.com/submit/825429

Permissions Required, VDB Entry

https://vuldb.com/vuln/367574

Permissions Required, VDB Entry

https://vuldb.com/vuln/367574/cti

Various Sources

https://github.com/Enderfga/claw-orchestrator/

View Writeup ZIP pw:eip

Patch

https://github.com/Enderfga/claw-orchestrator/commit/d0b02a800aa0689d9428cc4cc170e0b6589fb2c3

View Patch ZIP pw:eip

Issue Tracking

https://github.com/Enderfga/claw-orchestrator/issues/61

Release Notes

https://github.com/Enderfga/claw-orchestrator/releases/tag/v3.5.6

Permissions Required, VDB Entry

https://vuldb.com/cve/CVE-2026-10281

Scores

CVSS v3 7.3

EPSS 0.0041

EPSS Percentile 32.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Details

CWE

CWE-287 CWE-306

Status published

Published Jun 01, 2026

Tracked Since Jun 02, 2026