HIGH 7.3

CVE-2026-10281: Enderfga claw-orchestrator Authentication Bypass – Patch Available

Enderfga's claw-orchestrator contains an authentication bypass in its API endpoint handler. Versions up to 3.5.5 fail to enforce authentication checks in the EmbeddedServer component, allowing unauthenticated remote attackers to access protected functionality. The flaw has been publicly disclosed and exploit code is available. Version 3.5.6 addresses the issue.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.3 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Weaknesses (CWE)
CWE-287, CWE-306
Affected products
0 configuration(s)
Published / Modified
2026-06-01 / 2026-06-17

NVD description (verbatim)

A weakness has been identified in Enderfga claw-orchestrator up to 3.5.5. This affects the function EmbeddedServer of the file src/embedded-server.ts of the component API Endpoint. This manipulation causes missing authentication. The attack may be initiated remotely. The exploit has been made available to the public and could be used for attacks. Upgrading to version 3.5.6 mitigates this issue. Patch name: d0b02a800aa0689d9428cc4cc170e0b6589fb2c3. The affected component should be upgraded.

8 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The vulnerability resides in the EmbeddedServer implementation within src/embedded-server.ts. The API endpoint fails to validate authentication credentials before processing requests, violating CWE-287 (Improper Authentication) and CWE-306 (Missing Authentication for Critical Function). This is a network-accessible flaw with no complexity or privileges required to trigger it. An attacker can invoke protected API operations without presenting valid credentials, potentially gaining unauthorized access to sensitive functionality or data exposed through that endpoint.

Business impact

An unauthenticated attacker can manipulate the claw-orchestrator API, potentially leading to unauthorized orchestration commands, data exposure, or service disruption. The impact depends on what the orchestrator controls in your environment—if it manages infrastructure provisioning, deployment pipelines, or resource allocation, an attacker could execute arbitrary operations. Organizations relying on claw-orchestrator for production workflows face a material availability and integrity risk.

Affected systems

Enderfga claw-orchestrator versions 3.5.5 and earlier are affected. The EmbeddedServer component and its API endpoints are the attack surface. Any deployment exposing this service to untrusted networks or the public internet is at immediate risk. Verify your installed version and check for instances where the API is accessible beyond your intended trust boundary.

Exploitability

The CVSS score of 7.3 (HIGH) reflects the ease of exploitation: no authentication, low attack complexity, and network accessibility. Proof-of-concept code is already public, lowering the barrier for attackers. Active exploitation is likely if the vulnerability becomes widely known in threat communities targeting orchestration platforms or infrastructure-as-code tooling.

Remediation

Upgrade claw-orchestrator to version 3.5.6 or later immediately. The patch corrects the authentication bypass by restoring proper credential validation in the EmbeddedServer component. If an immediate upgrade is not feasible, restrict API endpoint access via firewall rules or network segmentation to prevent untrusted external traffic from reaching the vulnerable service.

Patch guidance

Update to version 3.5.6, which includes commit d0b02a800aa0689d9428cc4cc170e0b6589fb2c3. Verify the patch hash against your vendor's official advisory before deployment. Test the upgrade in a non-production environment first to confirm API authentication now functions correctly and does not break existing authenticated clients. Plan upgrades during a maintenance window if the service is mission-critical.

Detection guidance

Monitor API logs for requests to the EmbeddedServer endpoint that lack standard authentication headers (e.g., Bearer tokens, API keys, or session cookies). Identify POST/PUT/DELETE requests from external IP ranges with no prior authentication event. Network IDS/IPS signatures may detect mass or unusual API calls to the endpoint. Check for unexpected changes to configurations or resources that the orchestrator manages, which may indicate unauthorized API manipulation.

Why prioritize this

This vulnerability combines high severity (CVSS 7.3), public exploit availability, and the critical nature of orchestration platforms. Attackers do not need authentication or special privileges, making it trivial to exploit at scale. Any organization running vulnerable claw-orchestrator versions should treat this as a priority-one remediation, especially if the service faces external networks or untrusted users.

Risk score, explained

The CVSS 7.3 score reflects a network-reachable authentication bypass with low barriers to exploitation. The vector AV:N/AC:L/PR:N/UI:N indicates no user interaction or privilege escalation needed. Impacts include confidentiality and integrity loss (access to data and ability to modify state) and potential availability impact depending on what operations the attacker invokes. The absence of KEV status does not diminish risk—public exploit code and the nature of the flaw make it a high-priority target.

Frequently asked questions

Do I need to worry about this if my claw-orchestrator is behind a firewall?

Firewall protection is essential and reduces exposure, but is not a substitute for patching. If the service is accessible to any untrusted network segment or via VPN, attackers can exploit it. Apply the patch as soon as possible; do not rely solely on perimeter controls.

What exactly can an attacker do if they exploit this?

An attacker can call any API operation that the EmbeddedServer exposes without authentication. Depending on what your orchestrator is configured to do—deploy code, provision resources, delete services, etc.—they can execute those operations. The full impact depends on your specific use case and what the orchestrator can access.

Is there a workaround if I cannot upgrade immediately?

The best interim control is network isolation: restrict access to the API endpoint to only trusted IP ranges or use a WAF/reverse proxy to enforce authentication before traffic reaches the service. However, these are temporary measures. Upgrade to 3.5.6 as soon as your maintenance window allows.

How do I verify that my version is vulnerable?

Check your installed claw-orchestrator version against 3.5.5. If you are running 3.5.5 or earlier, you are affected. Consult your Enderfga release notes or package manager to confirm your exact version. After upgrading to 3.5.6, re-check the version to confirm the patch was applied.

This analysis is provided for informational purposes. We do not provide exploit code or weaponized proof-of-concept instructions. Verify all patch versions, hashes, and vendor details against official Enderfga advisories before deploying updates. This vulnerability is not currently listed in the CISA Known Exploited Vulnerabilities catalog as of the analysis date. Security teams must conduct their own risk assessment based on their infrastructure, threat model, and business context. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).