CVE-2026-10216 unitedbyai CVE debrief

Who should care

Organizations running droidclaw ≤0.5.3 with exposed claim endpoints; security teams monitoring for authentication bypass or brute-force risks in Node.js/TypeScript applications.

Technical summary

The vulnerability resides in an unknown function within server/src/routes/pairing.ts, specifically the claim endpoint of droidclaw versions up to 0.5.3. The endpoint fails to properly restrict excessive authentication attempts, permitting remote attackers to conduct brute-force or credential-stuffing attacks. The high attack complexity and difficult exploitability suggest the attack may require specific conditions or sequencing. The exploit is publicly available, increasing the risk of attempted exploitation despite the low CVSS score. No vendor patch was available at the time of disclosure.

Defensive priority

low

Recommended defensive actions

• Review rate-limiting and authentication-attempt restrictions in the claim endpoint at server/src/routes/pairing.ts.
• Implement exponential backoff or account lockout mechanisms for repeated failed authentication attempts.
• Monitor for anomalous authentication request volumes to the claim endpoint.
• Track vendor response to GitHub issue #14 for patch availability.
• Apply updates from the droidclaw project once a fix is released.

Evidence notes

The CVE description identifies the affected file as server/src/routes/pairing.ts in the claim endpoint component. CVSS 4.0 vector indicates network attack vector (AV:N), high attack complexity (AC:H), no required privileges (PR:N), and no user interaction (UI:N), yielding a base score of 2.9 (LOW). CWE-307 (Improper Restriction of Excessive Authentication Attempts) and CWE-799 (Improper Control of Interaction Frequency) are cited as weakness classifications. The exploit availability flag (E:P) confirms a public exploit exists. A GitHub issue (#14) was filed but the vendor had not responded as of the CVE publication date (2026-06-01).

Official resources