CVE-2026-15622

Source
https://cve.org/CVERecord?id=CVE-2026-15622
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-15622.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-15622
Published
2026-07-14T01:15:13.193Z
Modified
2026-07-16T03:48:31.019136482Z
Severity
  • 5.5 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P CVSS Calculator
Summary
poco-ai poco-claw Workspace API workspace.py get_workspace_file authorization
Details

A flaw has been found in poco-ai poco-claw up to 0.5.4. Affected is the function getworkspacefile of the file executormanager/app/api/v1/workspace.py of the component Workspace API. Executing a manipulation of the argument userid can lead to authorization bypass. The attack may be launched remotely. The exploit has been published and may be used. This patch is called 67fcc88505c57f77d3fcf04eb5b89425b10cbf48. Upgrading the affected component is recommended.

Database specific
{
    "cwe_ids": [
        "CWE-285",
        "CWE-639"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/15xxx/CVE-2026-15622.json",
    "cna_assigner": "VulDB"
}
References

Affected packages

Git / github.com/poco-ai/poco-claw

Affected ranges

Type
GIT
Repo
https://github.com/poco-ai/poco-claw
Events
Database specific
{
    "extracted_events": [
        {
            "introduced": "0.5.0"
        },
        {
            "last_affected": "0.5.0"
        },
        {
            "introduced": "0.5.1"
        },
        {
            "last_affected": "0.5.1"
        },
        {
            "introduced": "0.5.2"
        },
        {
            "last_affected": "0.5.2"
        },
        {
            "introduced": "0.5.3"
        },
        {
            "last_affected": "0.5.3"
        },
        {
            "introduced": "0.5.4"
        },
        {
            "last_affected": "0.5.4"
        }
    ],
    "source": [
        "AFFECTED_FIELD",
        "REFERENCES"
    ]
}

Affected versions

0.*
0.5.0
0.5.1
0.5.2
0.5.3
0.5.4

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-15622.json"