NVIDIA NemoClaw — Sandbox Environment-Variable Exfiltration and SSRF via Blueprint Config (CVE-2026-24222 / CVE-2026-24231)

AI relevance: NemoClaw is NVIDIA's hardened sandbox wrapper for running AI agents — if its sandbox initialization leaks host environment variables to a prompt-injected model, every API key, cloud credential, and database token in that agent's environment is exposed.

NVIDIA released its April 2026 NemoClaw security bulletin on April 28, patching two vulnerabilities in the agent sandbox stack. Both flaws affect all versions prior to the fix releases.

• CVE-2026-24222 (CVSS 8.6, High) — A sandbox environment initialization flaw lets a remote attacker send prompt-injected content that causes the agent to read and exfiltrate host environment variables not properly restricted during sandbox creation. The vulnerability carries an expanded-scope vector (S:C), meaning the impact crosses the sandbox boundary. Discovered by Colin McDonough of 50words.com.
• CVE-2026-24231 (CVSS 5.9, Medium) — The validateEndpointUrl() SSRF protection in NemoClaw fails to block crafted endpoint URLs referencing the 0.0.0.0/8 address range, when supplied via a blueprint configuration file or CLI flag. This allows server-side request forgery for information disclosure. Discovered by Avi Lumelsky of Oligo Security.
• NemoClaw runs OpenClaw agents inside NVIDIA OpenShell container sandboxes with managed inference — it is positioned as the enterprise on-ramp for securing local and self-hosted agent deployments.
• Both CVEs are classified as CWE-497 (Exposure of Sensitive System Data) and CWE-918 (Server-Side Request Forgery) respectively, with information-disclosure impact across the board.
• CVE-2026-24222 is fixed in NemoClaw v0.0.18; CVE-2026-24231 was previously addressed in v0.0.13 but is bundled in this bulletin for awareness.

Why it matters

NemoClaw is the recommended security boundary for self-hosted AI agent deployments on NVIDIA hardware. CVE-2026-24222 is notable because it demonstrates that even a purpose-built agent sandbox can leak host secrets through its initialization path — the sandbox existed, but the environment-variable scoping was incomplete. For teams running agents with cloud provider credentials, LLM API keys, or internal service tokens in their environment, this is a direct exfiltration path from a single prompt-injected request.

The SSRF in endpoint validation (CVE-2026-24231) compounds the risk: an attacker who can influence the blueprint config or CLI flags could probe internal network services, potentially chaining with CVE-2026-24222 to pivot from network reconnaissance to credential theft.

What to do

• Update NemoClaw to v0.0.18 or later immediately (github.com/NVIDIA/NemoClaw).
• Avoid running openshell self-update, npm update -g openshell, or openshell sandbox create directly — let nemoclaw onboard manage the OpenShell lifecycle.
• Rotate any host environment variables that were accessible to agent sandboards before patching — API keys, cloud credentials, and database tokens should all be considered potentially exposed.
• Review blueprint configuration files and CLI flag handling to ensure no untrusted input can set endpoint URLs.

Source links

• NVIDIA Security Bulletin — NemoClaw April 2026
• NVD — CVE-2026-24222
• TheHackerWire — CVE-2026-24222 Summary
• NVIDIA/NemoClaw on GitHub