Description
A security vulnerability has been detected in Sipeed PicoClaw up to 0.2.9. This affects the function IPAllowlist of the file web/backend/middleware/access_control.go of the component Launcher. Such manipulation leads to improper access controls. The attack may be performed from remote. The exploit has been disclosed publicly and may be used. The name of the patch is 3126. A patch should be applied to remediate this issue.
Problem types
Incorrect Privilege Assignment
Product status
0.2.1
0.2.2
0.2.3
0.2.4
0.2.5
0.2.6
0.2.7
0.2.8
0.2.9
Timeline
| 2026-07-09: | Advisory disclosed |
| 2026-07-09: | VulDB entry created |
| 2026-07-09: | VulDB entry last update |
Credits
Eric-d (VulDB User)
References
vuldb.com/vuln/377259 (VDB-377259 | Sipeed PicoClaw Launcher access_control.go IPAllowlist access control)
vuldb.com/vuln/377259/cti (VDB-377259 | CTI Indicators (IOB, IOC, TTP, IOA))
vuldb.com/cve/CVE-2026-15319 (CVE-2026-15319 | CVE Analysis and Report)
vuldb.com/submit/852884 (Submit #852884 | Sipeed PicoClaw Unreleased main branch after launcher introduction commit `e55b3b7a8d0b1ea1522da08fd46155ee4f58b794` and before a fix is merged Improper Access Control (CWE-284))
github.com/sipeed/picoclaw/issues/3069
github.com/sipeed/picoclaw/pull/3126
github.com/sipeed/picoclaw/