A vulnerability was identified in Sipeed PicoClaw up to 0.2.9. (CVE-2026-16082)
A time-of-check to time-of-use (TOCTOU) vulnerability exists in Sipeed PicoClaw up to version 0.2.9, specifically in the ExecTool.executeRun function in pkg/agent/pipeline_execute.go. The vulnerability arises from manipulation of the argument 'cwe'. Exploitation requires local access. The issue was publicly reported but marked as 'not planned' for a fix. No patch or official remediation is currently available. The vulnerability is rated as low severity.
AI Analysis
Technical Summary
CVE-2026-16082 describes a TOCTOU vulnerability in Sipeed PicoClaw versions up to 0.2.9. The flaw is located in the ExecTool.executeRun function within the pkg/agent/pipeline_execute.go file, where manipulation of the 'cwe' argument can lead to a race condition between checking and using a resource. Exploitation requires local privileges. The vulnerability has a low severity rating and no known exploits in the wild. The original GitHub issue was closed automatically with a 'not planned' label, indicating no official fix is scheduled.
Potential Impact
The vulnerability could allow a local attacker to exploit a race condition in the execution pipeline of Sipeed PicoClaw, potentially leading to unexpected behavior or privilege escalation. However, the impact is assessed as low severity, and no known exploits have been observed in the wild.
Mitigation Recommendations
No official patch or fix is currently available for this vulnerability. The vendor has marked the issue as 'not planned' for remediation. Users should monitor the vendor's advisories for any future updates. Since exploitation requires local access, restricting local user privileges and access may reduce risk.
A vulnerability was identified in Sipeed PicoClaw up to 0.2.9. (CVE-2026-16082)
Description
A time-of-check to time-of-use (TOCTOU) vulnerability exists in Sipeed PicoClaw up to version 0.2.9, specifically in the ExecTool.executeRun function in pkg/agent/pipeline_execute.go. The vulnerability arises from manipulation of the argument 'cwe'. Exploitation requires local access. The issue was publicly reported but marked as 'not planned' for a fix. No patch or official remediation is currently available. The vulnerability is rated as low severity.
CVSS v4.0
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-16082 describes a TOCTOU vulnerability in Sipeed PicoClaw versions up to 0.2.9. The flaw is located in the ExecTool.executeRun function within the pkg/agent/pipeline_execute.go file, where manipulation of the 'cwe' argument can lead to a race condition between checking and using a resource. Exploitation requires local privileges. The vulnerability has a low severity rating and no known exploits in the wild. The original GitHub issue was closed automatically with a 'not planned' label, indicating no official fix is scheduled.
Potential Impact
The vulnerability could allow a local attacker to exploit a race condition in the execution pipeline of Sipeed PicoClaw, potentially leading to unexpected behavior or privilege escalation. However, the impact is assessed as low severity, and no known exploits have been observed in the wild.
Mitigation Recommendations
No official patch or fix is currently available for this vulnerability. The vendor has marked the issue as 'not planned' for remediation. Users should monitor the vendor's advisories for any future updates. Since exploitation requires local access, restricting local user privileges and access may reduce risk.
Technical Details
- Gcve Source
- db.gcve.eu
- Osv Id
- GHSA-49hh-3wxf-qhw8
- Osv Schema Version
- 1.4.0
- Aliases
- ["CVE-2026-16082"]
- Ecosystems
- []
- Database Specific Severity
- LOW
- Cvss Version
- 4.0
Threat ID: 6a5bd31e2a4a8d59892857ad
Added to database: 07/18/2026, 19:25:18 UTC
Last enriched: 07/18/2026, 19:29:46 UTC
Last updated: 07/18/2026, 22:26:34 UTC
Views: 6
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.