Skip to content
Threat Feed
high advisory

CVE-2026-15319: Remote Improper Access Control in Sipeed PicoClaw

A remote improper access control vulnerability (CVE-2026-15319) exists in the IPAllowlist function of the Launcher component in Sipeed PicoClaw versions up to and including 0.2.9, allowing unauthorized remote access due to publicly disclosed exploit.

A security vulnerability, CVE-2026-15319, has been identified in Sipeed PicoClaw versions up to and including 0.2.9. This flaw resides within the IPAllowlist function of the Launcher component, specifically located in the web/backend/middleware/access_control.go file. The vulnerability permits remote manipulation leading to improper access controls, allowing an unauthorized attacker to bypass intended restrictions. The exploit for this issue has been publicly disclosed, increasing the risk of widespread exploitation against unpatched systems. Defenders should prioritize patching due to the remote exploitability and public availability of the exploit.

Attack Chain

(Attack chain details are not available in the source, which describes a vulnerability rather than an observed exploitation sequence.)

Impact

Successful exploitation of CVE-2026-15319 could allow a remote, unauthenticated attacker to bypass IP-based access controls within the Sipeed PicoClaw Launcher component. This leads to unauthorized access to functionalities or resources that should be restricted, potentially enabling further compromise of the system or data. While specific victim numbers or targeted sectors are not detailed in the public disclosure, any organization utilizing vulnerable versions of Sipeed PicoClaw is at risk of unauthorized system access.

Recommendation

  • Apply patch 3126, referenced in this brief, to all Sipeed PicoClaw installations running versions up to 0.2.9 immediately to remediate CVE-2026-15319.
  • Monitor your Sipeed PicoClaw web interface access logs for any unauthorized access attempts, which could indicate exploitation of the improper access controls detailed in CVE-2026-15319.