Skip to main content

GoClaw CVE-2026-10616

| EUVD-2026-34002 LOW
Missing Authorization (CWE-862)
2026-06-02 VulDB GHSA-cq6h-h9c3-mq74
Authentication Bypass Goclaw
2.1
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
2.1 LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

3
Analysis Generated
Jun 02, 2026 - 20:30 vuln.today
Severity Changed
Jun 02, 2026 - 20:22 NVD
MEDIUM LOW
CVSS changed
Jun 02, 2026 - 20:22 NVD
4.3 (MEDIUM) 2.1 (LOW)

DescriptionCVE.org

A weakness has been identified in nextlevelbuilder GoClaw up to 3.11.3. The impacted element is the function TeamTasksTool.executeComplete of the file internal/tools/team_tasks_lifecycle.go of the component Team Task Completion Handler. Executing a manipulation can lead to missing authorization. The attack may be launched remotely. The exploit has been made available to the public and could be used for attacks. The project tagged the reported issue as bug.

AnalysisAI

Missing authorization in nextlevelbuilder GoClaw up to version 3.11.3 allows low-privileged remote attackers to trigger unauthorized team task completions via the TeamTasksTool.executeComplete function. The flaw, classified as CWE-862, permits any authenticated user to bypass permission checks in the Team Task Completion Handler, falsely marking tasks as complete regardless of their authorization level. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate with low-privileged GoClaw account
Delivery
Identify target team task IDs via normal application access
Exploit
Send crafted request to TeamTasksTool.executeComplete
Execution
Bypass missing authorization check in team_tasks_lifecycle.go
Persist
Mark unauthorized tasks as complete
Impact
Corrupt project workflow integrity
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Authentication with a low-privileged account is required - CVSS PR:L confirms this is not an unauthenticated attack vector. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 base score of 2.1 (Very Low) accurately reflects the constrained impact profile: the attack vector is network (AV:N), complexity is low (AC:L), but low privileges are required (PR:L), meaning unauthenticated exploitation is not possible. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A low-privileged user with a valid GoClaw account - such as a team member with read-only or basic contributor access - sends a crafted HTTP request targeting the TeamTasksTool.executeComplete endpoint, exploiting the missing authorization check to complete team tasks assigned to others or restricted to higher-privileged roles. A publicly available POC is referenced in GitHub issue #1133, providing concrete guidance for replication. …
Remediation No specific patched release version has been confirmed in the available data - the fix status should be actively monitored against the GitHub repository at https://github.com/nextlevelbuilder/goclaw and the VulDB advisory at https://vuldb.com/vuln/367925. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-10616 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy