{"api_version":"1","generated_at":"2026-06-03T11:06:12+00:00","cve":"CVE-2026-10291","urls":{"html":"https://cve.report/CVE-2026-10291","api":"https://cve.report/api/cve/CVE-2026-10291.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-10291","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-10291"},"summary":{"title":"Enderfga claw-orchestrator Session Grep Endpoint embedded-server.ts validateRegex redos","description":"A security vulnerability has been detected in Enderfga claw-orchestrator up to 3.7.0. The impacted element is the function validateRegex of the file claw-orchestrator/src/embedded-server.ts of the component Session Grep Endpoint. The manipulation of the argument body.pattern leads to inefficient regular expression complexity. The attack may be initiated remotely. Upgrading to version 3.7.1 is sufficient to resolve this issue. The identifier of the patch is 3f970a974c65a94555c25af9f2796f11315e4584. It is recommended to upgrade the affected component.","state":"PUBLISHED","assigner":"VulDB","published_at":"2026-06-01 22:16:24","updated_at":"2026-06-02 17:16:26"},"problem_types":["CWE-400","CWE-1333","CWE-1333 Inefficient Regular Expression Complexity","CWE-400 Resource Consumption"],"metrics":[{"version":"4.0","source":"cna@vuldb.com","type":"Secondary","score":"5.3","severity":"MEDIUM","vector":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","data":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":5.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"LOW","userInteraction":"NONE","vulnConfidentialityImpact":"NONE","vulnIntegrityImpact":"NONE","vulnAvailabilityImpact":"LOW","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}},{"version":"4.0","source":"CNA","type":"DECLARED","score":"5.3","severity":"MEDIUM","vector":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X","data":{"baseScore":5.3,"baseSeverity":"MEDIUM","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X","version":"4.0"}},{"version":"3.1","source":"cna@vuldb.com","type":"Secondary","score":"4.3","severity":"MEDIUM","vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L","baseScore":4.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"LOW"}},{"version":"3.1","source":"CNA","type":"DECLARED","score":"4.3","severity":"MEDIUM","vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:X/RL:O/RC:C","data":{"baseScore":4.3,"baseSeverity":"MEDIUM","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:X/RL:O/RC:C","version":"3.1"}},{"version":"3.0","source":"CNA","type":"DECLARED","score":"4.3","severity":"MEDIUM","vector":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:X/RL:O/RC:C","data":{"baseScore":4.3,"baseSeverity":"MEDIUM","vectorString":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:X/RL:O/RC:C","version":"3.0"}},{"version":"2.0","source":"cna@vuldb.com","type":"Secondary","score":"4","severity":"","vector":"AV:N/AC:L/Au:S/C:N/I:N/A:P","data":{"version":"2.0","vectorString":"AV:N/AC:L/Au:S/C:N/I:N/A:P","baseScore":4,"accessVector":"NETWORK","accessComplexity":"LOW","authentication":"SINGLE","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"PARTIAL"}},{"version":"2.0","source":"CNA","type":"DECLARED","score":"4","severity":"","vector":"AV:N/AC:L/Au:S/C:N/I:N/A:P/E:ND/RL:OF/RC:C","data":{"baseScore":4,"vectorString":"AV:N/AC:L/Au:S/C:N/I:N/A:P/E:ND/RL:OF/RC:C","version":"2.0"}}],"references":[{"url":"https://vuldb.com/vuln/367584","name":"https://vuldb.com/vuln/367584","refsource":"cna@vuldb.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://github.com/Enderfga/claw-orchestrator/","name":"https://github.com/Enderfga/claw-orchestrator/","refsource":"cna@vuldb.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://vuldb.com/vuln/367584/cti","name":"https://vuldb.com/vuln/367584/cti","refsource":"cna@vuldb.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://github.com/Enderfga/claw-orchestrator/releases/tag/v3.7.1","name":"https://github.com/Enderfga/claw-orchestrator/releases/tag/v3.7.1","refsource":"cna@vuldb.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://vuldb.com/cve/CVE-2026-10291","name":"https://vuldb.com/cve/CVE-2026-10291","refsource":"cna@vuldb.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://vuldb.com/submit/826222","name":"https://vuldb.com/submit/826222","refsource":"cna@vuldb.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://github.com/Enderfga/claw-orchestrator/issues/64","name":"https://github.com/Enderfga/claw-orchestrator/issues/64","refsource":"134c704f-9b21-4f2e-91b3-4a467353bcc0","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://github.com/Enderfga/claw-orchestrator/issues/64#issuecomment-4421942196","name":"https://github.com/Enderfga/claw-orchestrator/issues/64#issuecomment-4421942196","refsource":"cna@vuldb.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://github.com/Enderfga/claw-orchestrator/commit/3f970a974c65a94555c25af9f2796f11315e4584","name":"https://github.com/Enderfga/claw-orchestrator/commit/3f970a974c65a94555c25af9f2796f11315e4584","refsource":"cna@vuldb.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-10291","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-10291","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Enderfga","product":"claw-orchestrator","version":"affected 3.0","platforms":[]},{"source":"CNA","vendor":"Enderfga","product":"claw-orchestrator","version":"affected 3.1","platforms":[]},{"source":"CNA","vendor":"Enderfga","product":"claw-orchestrator","version":"affected 3.2","platforms":[]},{"source":"CNA","vendor":"Enderfga","product":"claw-orchestrator","version":"affected 3.3","platforms":[]},{"source":"CNA","vendor":"Enderfga","product":"claw-orchestrator","version":"affected 3.4","platforms":[]},{"source":"CNA","vendor":"Enderfga","product":"claw-orchestrator","version":"affected 3.5","platforms":[]},{"source":"CNA","vendor":"Enderfga","product":"claw-orchestrator","version":"affected 3.6","platforms":[]},{"source":"CNA","vendor":"Enderfga","product":"claw-orchestrator","version":"affected 3.7.0","platforms":[]},{"source":"CNA","vendor":"Enderfga","product":"claw-orchestrator","version":"unaffected 3.7.1","platforms":[]}],"timeline":[{"source":"CNA","time":"2026-05-31T00:00:00.000Z","lang":"en","value":"Advisory disclosed"},{"source":"CNA","time":"2026-05-31T02:00:00.000Z","lang":"en","value":"VulDB entry created"},{"source":"CNA","time":"2026-05-31T19:48:30.000Z","lang":"en","value":"VulDB entry last update"}],"solutions":[],"workarounds":[],"exploits":[],"credits":[{"source":"CNA","value":"ybdesire (VulDB User)","lang":"en"}],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":{"cve_year":"2026","cve_id":"10291","cve":"CVE-2026-10291","epss":"0.000600000","percentile":"0.190740000","score_date":"2026-06-02","updated_at":"2026-06-03 00:08:15"},"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"metrics":[{"other":{"content":{"id":"CVE-2026-10291","options":[{"Exploitation":"poc"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","timestamp":"2026-06-02T15:43:30.758523Z","version":"2.0.3"},"type":"ssvc"}}],"providerMetadata":{"dateUpdated":"2026-06-02T15:45:36.997Z","orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP"},"references":[{"tags":["exploit"],"url":"https://github.com/Enderfga/claw-orchestrator/issues/64"}],"title":"CISA ADP Vulnrichment"}],"cna":{"affected":[{"cpes":["cpe:2.3:a:enderfga:claw-orchestrator:*:*:*:*:*:*:*:*"],"modules":["Session Grep Endpoint"],"product":"claw-orchestrator","vendor":"Enderfga","versions":[{"status":"affected","version":"3.0"},{"status":"affected","version":"3.1"},{"status":"affected","version":"3.2"},{"status":"affected","version":"3.3"},{"status":"affected","version":"3.4"},{"status":"affected","version":"3.5"},{"status":"affected","version":"3.6"},{"status":"affected","version":"3.7.0"},{"status":"unaffected","version":"3.7.1"}]}],"credits":[{"lang":"en","type":"reporter","value":"ybdesire (VulDB User)"}],"descriptions":[{"lang":"en","value":"A security vulnerability has been detected in Enderfga claw-orchestrator up to 3.7.0. The impacted element is the function validateRegex of the file claw-orchestrator/src/embedded-server.ts of the component Session Grep Endpoint. The manipulation of the argument body.pattern leads to inefficient regular expression complexity. The attack may be initiated remotely. Upgrading to version 3.7.1 is sufficient to resolve this issue. The identifier of the patch is 3f970a974c65a94555c25af9f2796f11315e4584. It is recommended to upgrade the affected component."}],"metrics":[{"cvssV4_0":{"baseScore":5.3,"baseSeverity":"MEDIUM","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X","version":"4.0"}},{"cvssV3_1":{"baseScore":4.3,"baseSeverity":"MEDIUM","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:X/RL:O/RC:C","version":"3.1"}},{"cvssV3_0":{"baseScore":4.3,"baseSeverity":"MEDIUM","vectorString":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:X/RL:O/RC:C","version":"3.0"}},{"cvssV2_0":{"baseScore":4,"vectorString":"AV:N/AC:L/Au:S/C:N/I:N/A:P/E:ND/RL:OF/RC:C","version":"2.0"}}],"problemTypes":[{"descriptions":[{"cweId":"CWE-1333","description":"Inefficient Regular Expression Complexity","lang":"en","type":"CWE"}]},{"descriptions":[{"cweId":"CWE-400","description":"Resource Consumption","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-06-01T20:45:10.390Z","orgId":"1af790b2-7ee1-4545-860a-a788eba489b5","shortName":"VulDB"},"references":[{"name":"VDB-367584 | Enderfga claw-orchestrator Session Grep Endpoint embedded-server.ts validateRegex redos","tags":["vdb-entry","technical-description"],"url":"https://vuldb.com/vuln/367584"},{"name":"VDB-367584 | CTI Indicators (IOB, IOC, TTP, IOA)","tags":["signature","permissions-required"],"url":"https://vuldb.com/vuln/367584/cti"},{"name":"CVE-2026-10291 | CVE Analysis and Report","tags":["third-party-advisory"],"url":"https://vuldb.com/cve/CVE-2026-10291"},{"name":"Submit #826222 | Enderfga claw-orchestrator v2.7.0-v3.7.0 Inefficient Regular Expression Complexity","tags":["third-party-advisory"],"url":"https://vuldb.com/submit/826222"},{"tags":["issue-tracking"],"url":"https://github.com/Enderfga/claw-orchestrator/issues/64"},{"tags":["issue-tracking"],"url":"https://github.com/Enderfga/claw-orchestrator/issues/64#issuecomment-4421942196"},{"tags":["patch"],"url":"https://github.com/Enderfga/claw-orchestrator/commit/3f970a974c65a94555c25af9f2796f11315e4584"},{"tags":["patch"],"url":"https://github.com/Enderfga/claw-orchestrator/releases/tag/v3.7.1"},{"tags":["product"],"url":"https://github.com/Enderfga/claw-orchestrator/"}],"tags":["x_open-source"],"timeline":[{"lang":"en","time":"2026-05-31T00:00:00.000Z","value":"Advisory disclosed"},{"lang":"en","time":"2026-05-31T02:00:00.000Z","value":"VulDB entry created"},{"lang":"en","time":"2026-05-31T19:48:30.000Z","value":"VulDB entry last update"}],"title":"Enderfga claw-orchestrator Session Grep Endpoint embedded-server.ts validateRegex redos"}},"cveMetadata":{"assignerOrgId":"1af790b2-7ee1-4545-860a-a788eba489b5","assignerShortName":"VulDB","cveId":"CVE-2026-10291","datePublished":"2026-06-01T20:45:10.390Z","dateReserved":"2026-05-31T17:43:01.679Z","dateUpdated":"2026-06-02T15:45:36.997Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-06-01 22:16:24","lastModifiedDate":"2026-06-02 17:16:26","problem_types":["CWE-400","CWE-1333","CWE-1333 Inefficient Regular Expression Complexity","CWE-400 Resource Consumption"],"metrics":{"cvssMetricV40":[{"source":"cna@vuldb.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":5.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"LOW","userInteraction":"NONE","vulnConfidentialityImpact":"NONE","vulnIntegrityImpact":"NONE","vulnAvailabilityImpact":"LOW","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"cna@vuldb.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L","baseScore":4.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"LOW"},"exploitabilityScore":2.8,"impactScore":1.4}],"cvssMetricV2":[{"source":"cna@vuldb.com","type":"Secondary","cvssData":{"version":"2.0","vectorString":"AV:N/AC:L/Au:S/C:N/I:N/A:P","baseScore":4,"accessVector":"NETWORK","accessComplexity":"LOW","authentication":"SINGLE","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"PARTIAL"},"baseSeverity":"MEDIUM","exploitabilityScore":8,"impactScore":2.9,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}]},"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"10291","Ordinal":"1","Title":"Enderfga claw-orchestrator Session Grep Endpoint embedded-server","CVE":"CVE-2026-10291","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"10291","Ordinal":"1","NoteData":"A security vulnerability has been detected in Enderfga claw-orchestrator up to 3.7.0. The impacted element is the function validateRegex of the file claw-orchestrator/src/embedded-server.ts of the component Session Grep Endpoint. The manipulation of the argument body.pattern leads to inefficient regular expression complexity. The attack may be initiated remotely. Upgrading to version 3.7.1 is sufficient to resolve this issue. The identifier of the patch is 3f970a974c65a94555c25af9f2796f11315e4584. It is recommended to upgrade the affected component.","Type":"Description","Title":"Enderfga claw-orchestrator Session Grep Endpoint embedded-server"}]}}}