Skip to main content

GoClaw CVE-2026-10218

| EUVD-2026-33539 LOW
Improper Authorization (CWE-285)
2026-06-01 VulDB GHSA-j6m2-hpv6-29c4
Authentication Bypass Goclaw
2.1
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
2.1 LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

3
Analysis Generated
Jun 01, 2026 - 04:23 vuln.today
Severity Changed
Jun 01, 2026 - 04:22 NVD
MEDIUM LOW
CVSS changed
Jun 01, 2026 - 04:22 NVD
5.4 (MEDIUM) 2.1 (LOW)

DescriptionCVE.org

A vulnerability has been found in nextlevelbuilder GoClaw up to 3.11.3. This affects the function auth of the file internal/http/evolution_handlers.go. Such manipulation leads to improper authorization. The attack can be executed remotely. The exploit has been disclosed to the public and may be used. The project tagged the reported issue as bug.

AnalysisAI

Improper authorization in GoClaw (nextlevelbuilder/goclaw) up to version 3.11.3 allows a remote low-privileged attacker to bypass authorization controls via the auth function in internal/http/evolution_handlers.go. The CVSS 4.0 score is 2.1 with limited integrity and availability impact and no confidentiality exposure. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain low-privilege GoClaw credentials
Exploit
Send crafted HTTP request to evolution endpoint
Execution
Bypass `auth` function authorization check
Impact
Perform unauthorized integrity or availability action on target system
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires a valid low-privileged account on the target GoClaw instance (PR:L per CVSS vector) - unauthenticated exploitation is not supported by available data. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 base score of 2.1 is very low. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who holds a low-privileged account on a GoClaw deployment sends a crafted HTTP request targeting the `auth`-gated evolution endpoints, exploiting the improper authorization logic to perform actions beyond their assigned permission level - such as triggering unintended state changes or degrading service availability. A public proof-of-concept is available via GitHub issue #1120, lowering the bar for exploitation by less sophisticated actors. …
Remediation No vendor-released patched version has been identified in the available data at time of analysis - the project tagged the issue as a bug via GitHub issue #1120 (https://github.com/nextlevelbuilder/goclaw/issues/1120), but no corresponding fix commit or tagged release version was provided in the references. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-10218 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy