MEDIUM 4.3

CVE-2026-10291: ReDoS in Enderfga claw-orchestrator validateRegex—Security Update

Enderfga's claw-orchestrator contains a flaw in how it validates regular expressions in the Session Grep Endpoint. An authenticated attacker can supply a maliciously crafted regex pattern that forces excessive CPU consumption, potentially slowing or freezing the service. This is a medium-severity issue affecting versions up to 3.7.0 and is remedied by upgrading to 3.7.1.

Source data · NVD / CISA · public domain

CVSS
3.1 · 4.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
Weaknesses (CWE)
CWE-1333, CWE-400
Affected products
0 configuration(s)
Published / Modified
2026-06-01 / 2026-06-17

NVD description (verbatim)

A security vulnerability has been detected in Enderfga claw-orchestrator up to 3.7.0. The impacted element is the function validateRegex of the file claw-orchestrator/src/embedded-server.ts of the component Session Grep Endpoint. The manipulation of the argument body.pattern leads to inefficient regular expression complexity. The attack may be initiated remotely. Upgrading to version 3.7.1 is sufficient to resolve this issue. The identifier of the patch is 3f970a974c65a94555c25af9f2796f11315e4584. It is recommended to upgrade the affected component.

10 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The validateRegex function in claw-orchestrator/src/embedded-server.ts fails to enforce algorithmic efficiency when processing regex patterns supplied via the Session Grep Endpoint's body.pattern parameter. This enables ReDoS (Regular Expression Denial of Service) exploitation. An authenticated user can craft a pathological regex—typically involving nested quantifiers or catastrophic backtracking scenarios—that consumes unbounded CPU cycles during pattern matching. The vulnerability is rooted in inadequate input validation before regex compilation. CVSS 3.1 score of 4.3 (MEDIUM, AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L) reflects that exploitation requires valid authentication and results in availability impact only.

Business impact

Service availability is at direct risk. An authenticated user (or an attacker who has compromised legitimate credentials) can trigger ReDoS conditions that degrade performance or cause denial of service, disrupting operational workflows that depend on the claw-orchestrator. In multi-tenant environments, this could affect all users. While confidentiality and integrity remain unaffected, persistent exploitation could create operational friction and support overhead.

Affected systems

Enderfga claw-orchestrator versions up to and including 3.7.0 are affected. The vulnerability is present in the Session Grep Endpoint component within the embedded server. Version 3.7.1 contains the fix and should be deployed immediately.

Exploitability

Exploitation requires authenticated network access—an attacker must possess valid credentials to reach the vulnerable endpoint. The attack itself is trivial to execute: a single HTTP request with a pathological regex pattern in body.pattern suffices. No special privileges, user interaction, or exploit tools are required beyond basic HTTP capabilities. The barrier to exploitation is low once authentication is obtained.

Remediation

Upgrade claw-orchestrator to version 3.7.1 or later without delay. The patch (commit 3f970a974c65a94555c25af9f2796f11315e4584) hardens the validateRegex function to reject or constrain overly complex patterns before execution. For environments unable to upgrade immediately, consider network-level restrictions to the Session Grep Endpoint, credential rotation if compromise is suspected, and monitoring for sudden CPU spikes or endpoint timeouts.

Patch guidance

Deploy version 3.7.1 as soon as feasible. The upgrade is a targeted fix and should pose minimal breaking-change risk. Verify the patch hash 3f970a974c65a94555c25af9f2796f11315e4584 against the vendor's release notes or Git repository to confirm authenticity. Test in a staging environment first if feasible, then roll out to production. No configuration changes are required post-upgrade.

Detection guidance

Monitor for abnormal CPU utilization or request latency spikes on endpoints serving the Session Grep functionality. Log and alert on regex validation errors or timeouts in the embedded-server component. Watch for repeated requests to body.pattern with suspiciously long or deeply nested regex syntax (e.g., patterns with excessive alternation, nested quantifiers like (a+)+ or (a|a)*). Correlate these with specific authenticated users to identify potential attack campaigns.

Why prioritize this

Although CVSS 4.3 is moderate, this vulnerability should be treated as high-priority for any organization relying on claw-orchestrator. Exploitation requires only authentication and imposes immediate service impact—an attacker need not invest in sophisticated techniques. The fix is straightforward (a simple version upgrade), making rapid deployment feasible and justifiable. Delayed patching extends the window of operational risk.

Risk score, explained

CVSS 3.1 assigns a score of 4.3 (MEDIUM) because: (1) the attack vector is network-based and requires low complexity, (2) valid authentication is mandatory, reducing the threat population, (3) the impact is confined to availability—no data breach or integrity violation occurs, and (4) the scope is unchanged. The score appropriately reflects a real but bounded risk that does not endanger confidentiality or data integrity.

Frequently asked questions

Can an unauthenticated attacker exploit this?

No. The Session Grep Endpoint requires valid authentication. Unauthenticated requests are rejected before the vulnerable regex validation occurs.

What happens if a ReDoS attack succeeds?

The claw-orchestrator process will consume abnormally high CPU as the regex engine backtracks through the pathological pattern. This degrades performance for all users and may cause timeouts or temporary unavailability of the endpoint.

Is there a workaround if I cannot upgrade immediately?

Implement network-level access controls to restrict the Session Grep Endpoint to trusted IP ranges or networks. Monitor authenticated session activity closely for unusual patterns. However, upgrading to 3.7.1 is the definitive remedy and should remain the priority.

Does this vulnerability affect data stored in claw-orchestrator?

No. The vulnerability impacts only availability (service responsiveness), not confidentiality or integrity. Your data remains secure; the concern is service disruption.

This analysis is based on published CVE data as of the date of this article. Vulnerability details, patch availability, and affected product lists are subject to change. Organizations should verify patch compatibility and test in staging environments before production deployment. SEC.co makes no warranty regarding the completeness, accuracy, or timeliness of this information. For authoritative guidance, consult Enderfga's official security advisories and release notes. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).