LOW 3.7

CVE-2026-10216: Weak Authentication Rate-Limiting in unitedbyai Droidclaw

A vulnerability has been discovered in unitedbyai droidclaw version 0.5.3 and earlier that weakens authentication security on the claim endpoint. The flaw allows attackers to bypass rate limiting or account lockout protections during login attempts, potentially enabling brute-force attacks to guess user credentials. While a public exploit exists, the attack requires specific conditions and technical skill to execute successfully. The vendor has been notified but has not yet released a fix.

Source data · NVD / CISA · public domain

CVSS
3.1 · 3.7 LOW · CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
Weaknesses (CWE)
CWE-307, CWE-799
Affected products
0 configuration(s)
Published / Modified
2026-06-01 / 2026-06-17

NVD description (verbatim)

A vulnerability was detected in unitedbyai droidclaw up to 0.5.3. The affected element is an unknown function of the file server/src/routes/pairing.ts of the component claim Endpoint. The manipulation results in improper restriction of excessive authentication attempts. The attack may be launched remotely. This attack is characterized by high complexity. The exploitability is described as difficult. The exploit is now public and may be used. The project was informed of the problem early through an issue report but has not responded yet.

7 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-10216 resides in the claim endpoint handler (server/src/routes/pairing.ts) within unitedbyai droidclaw and stems from improper restriction of excessive authentication attempts. The vulnerability is categorized under CWE-307 (Improper Restriction of Excessive Authentication Attempts) and CWE-799 (Improper Control of Interaction Frequency), indicating insufficient rate-limiting or account lockout mechanisms. The attack surface is network-accessible, requires no user interaction, and no authentication privilege, but demands high attack complexity due to implementation-specific conditions. The CVSS v3.1 score of 3.7 (LOW severity) reflects limited confidentiality impact with no integrity or availability damage.

Business impact

The practical business risk is moderate but context-dependent. Organizations relying on droidclaw for API pairing or credential management face increased exposure to unauthorized account access if attackers can systematically probe credentials. The low CVSS score reflects that successful exploitation requires deliberate effort and yields only limited information disclosure rather than system compromise or data theft. For deployments where droidclaw guards sensitive operations, the cumulative risk of credential compromise warrants attention; for others, the impact is marginal.

Affected systems

unitedbyai droidclaw version 0.5.3 and all earlier versions are vulnerable. The vulnerability is triggered through the claim endpoint during the pairing authentication flow. Determine your current droidclaw version and deployment context (internal API, customer-facing service, etc.) to assess whether your organization is affected.

Exploitability

Public exploits are now available, lowering the barrier to weaponization. However, the attack complexity is rated as HIGH, meaning successful exploitation requires specific knowledge of the target system's configuration, timing, or other environmental factors. Automated or generic attacks are unlikely to succeed; targeted, manual effort is needed. This does not eliminate the risk—determined adversaries with reconnaissance capabilities can still exploit the flaw—but it does reduce the probability of opportunistic attacks.

Remediation

Upgrade unitedbyai droidclaw to a patched version as soon as one is released by the vendor. Until a patch is available, implement network-level mitigations: deploy a Web Application Firewall (WAF) or rate-limiting reverse proxy in front of the claim endpoint to enforce strict request throttling per IP or session, implement account lockout policies (e.g., temporary suspension after N failed attempts), and monitor authentication logs for unusual patterns. If droidclaw is not critical to operations, consider disabling or restricting access to the pairing feature until a fix is confirmed.

Patch guidance

Verify the vendor's security advisory on the unitedbyai GitHub repository or official security channel for the version number and release date of the patched build. Patch as soon as testing confirms compatibility with your environment. Given the low CVSS and high attack complexity, patches can be scheduled in a standard maintenance window rather than emergency maintenance, but should not be deferred indefinitely.

Detection guidance

Monitor authentication logs for the claim endpoint (server/src/routes/pairing.ts) for anomalies: rapid successive failed authentication attempts from a single IP, burst patterns that deviate from normal user behavior, or repeated attempts with variations in credentials or headers. Implement alerting on rate-limit thresholds (e.g., >10 failed attempts per minute per IP). Log aggregation and SIEM tools can correlate these signals to identify active exploitation attempts.

Why prioritize this

This vulnerability merits a medium priority in most environments. While the CVSS score is LOW and attack complexity is HIGH, the combination of network accessibility, public exploit availability, and the critical nature of authentication systems justifies elevation above the CVSS rating alone. Credential compromise, even with low probability, has outsized business impact. Organizations should patch within 60–90 days as part of normal update cycles, and sooner if droidclaw is customer-facing or guards sensitive data.

Risk score, explained

The CVSS v3.1 score of 3.7 reflects: (1) network-accessible attack surface (AV:N); (2) high attack complexity, limiting opportunistic exploitation (AC:H); (3) no authentication required (PR:N); (4) low confidentiality impact via information disclosure during credential guessing (C:L); and (5) no integrity or availability impact (I:N, A:N). The score is conservative and does not fully capture the reputational and operational risk of credential compromise. Security teams should interpret this score in context: a LOW CVSS for an authentication flaw warrants closer scrutiny than a LOW CVSS for a minor information leak.

Frequently asked questions

Should we treat this as critical because it affects authentication?

No. While authentication flaws carry inherent risk, this vulnerability's actual danger is constrained by high attack complexity and low impact. The CVSS score of 3.7 is appropriate. Treat it as a standard-priority patch rather than a critical incident, but do not ignore it.

We don't know which version of droidclaw we're running. How do we check?

Examine your droidclaw installation directory for a version file (often package.json, VERSION, or similar), check the Git tag if installed from source, or run the application's help/info command if available. Query your dependency management system (npm, pip, etc.) if droidclaw is a library dependency. Contact your internal team or the droidclaw deployment owner if unclear.

A public exploit exists. Should we assume we're already compromised?

Not necessarily. Public availability increases risk, but high attack complexity means exploitation requires targeted effort and system reconnaissance. If you have no suspicious authentication logs or credential leaks, assume you are not currently compromised. Implement the monitoring and mitigation steps outlined above and patch on schedule.

What if the vendor doesn't release a patch soon?

Implement compensating controls: rate-limit the claim endpoint at your edge (firewall, load balancer, WAF), enforce strict account lockout policies, and consider disabling or restricting pairing features to trusted networks only. Escalate the issue with the vendor on a defined timeline (e.g., 30 days) and evaluate alternative solutions if the vendor is unresponsive.

This analysis is provided for informational purposes and represents SEC.co's independent assessment based on publicly disclosed information. The vulnerability details, CVSS score, and affected versions are derived from official CVE records and vendor advisories. Patch availability, timelines, and version numbers should be verified directly with unitedbyai before deployment. SEC.co makes no warranty regarding the completeness or accuracy of mitigations or detection logic, and assumes no liability for operational decisions made in reliance on this content. Organizations must conduct their own risk assessment and testing in their specific environment. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).