CVE-2026-24222 PUBLISHED

Assigner: nvidia
Reserved: 21.01.2026 Published: 28.04.2026 Updated: 28.04.2026

NVIDIA NeMoClaw contains a vulnerability in the sandbox environment initialization component, where a remote attacker could cause improper access control by sending prompt-injected content that causes the agent to read and exfiltrate host environment variables not properly restricted during sandbox creation. A successful exploit of this vulnerability might lead to information disclosure.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
CVSS Score: 8.6

Attack Vector	Network	Scope	Changed
Attack Complexity	Low	Confidentiality Impact	High
Privileges Required	None	Integrity Impact	None
User Interaction	None	Availability Impact	None

CVSS 3.1

Product Status

Vendor	NVIDIA
Product	NemoClaw
Versions	Default: unaffected Version All versions prior to v0.0.18 is affected

References

Problem Types

CWE-497 Exposure of Sensitive System Information to an Unauthorized Control Sphere CWE

Impacts

Information disclosure