CVE-2026-43992

Juno Network · JunoClaw

JunoClaw exposes sensitive BIP-39 mnemonic seeds in LLM tool-call JSON data, risking credential theft via telemetry or logging surfaces.

Executive summary

JunoClaw versions prior to 0.x.y-security-1 are vulnerable to credential exposure, allowing unauthorized access to BIP-39 seed phrases through system logs and telemetry.

Vulnerability

The platform included the BIP-39 mnemonic seed as an explicit parameter in MCP tool-call JSON strings. This practice exposes the recovery seed to any intermediate system, including logging, telemetry, and external LLM providers.

Business impact

The exposure of BIP-39 seed phrases essentially grants an attacker full control over the associated wallets or contract assets. With a CVSS score of 9.8, the potential for total financial loss and unauthorized contract manipulation is extreme, necessitating immediate remediation.

Remediation

Immediate Action: Update the JunoClaw platform to version 0.x.y-security-1 or higher to remove the inclusion of sensitive mnemonic data in tool calls.

Proactive Monitoring: Review logs, telemetry data, and LLM interaction history for any instances where mnemonic seeds may have been inadvertently recorded or stored.

Compensating Controls: If immediate patching is not possible, rotate all keys or wallets that may have been handled by the platform and isolate the platform from logging systems that store sensitive JSON payloads.

Exploitation status

Public Exploit Available: Unknown

Analyst recommendation

The exposure of root-level credentials like BIP-39 seeds is a catastrophic failure. Organizations must treat this as a high-priority incident, update the software immediately, and assume that any credentials processed by previous versions are compromised.