EUVD-2026-34009
GHSA-m4rx-8cqf-h494
Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
A security vulnerability has been detected in nextlevelbuilder GoClaw up to 3.11.3. This affects the function resolveAuth of the file internal/http/auth.go of the component Webhook Verification Handler. The manipulation leads to missing authentication. Remote exploitation of the attack is possible. The exploit has been disclosed publicly and may be used. The project tagged the reported issue as bug.
AnalysisAI
Missing authentication in GoClaw's Webhook Verification Handler allows unauthenticated remote attackers to interact with webhook endpoints without valid credentials, affecting all versions up to and including 3.11.3. The flaw resides in the resolveAuth function within internal/http/auth.go, where the authentication check can be bypassed entirely. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The Webhook Verification Handler must be enabled and reachable - specifically, the `resolveAuth` function in `internal/http/auth.go` must be in the request processing path for webhook endpoints. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) indicates network-accessible exploitation with low complexity, no attack prerequisites, no privileges required, and no user interaction - placing this in the easiest possible exploitation category. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An external attacker identifies a GoClaw instance with its webhook endpoint exposed to the network (or internet), sends a crafted HTTP request directly to the webhook verification handler, and bypasses the `resolveAuth` authentication check due to the CWE-306 flaw - gaining the ability to submit unauthenticated webhook payloads that trigger backend processing logic. A proof-of-concept demonstrating this bypass has been publicly disclosed via GitHub issue #1134, lowering the skill bar required to attempt exploitation. … |
| Remediation | No vendor-released patched version has been confirmed at time of analysis; the maintainer has tagged the report as a bug (GitHub issue #1134), but no fix release is identified in the available data. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Share
External POC / Exploit Code
Leaving vuln.today