Skip to main content

GoClaw CVE-2026-7505

MEDIUM
Improper Authorization (CWE-285)
2026-04-30 VulDB
5.5
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

8
PoC Detected
May 01, 2026 - 15:26 vuln.today
Public exploit code
Severity Changed
Apr 30, 2026 - 23:22 NVD
HIGH MEDIUM
CVSS changed
Apr 30, 2026 - 23:22 NVD
7.3 (HIGH) 5.5 (MEDIUM)
Source Code Evidence Fetched
Apr 30, 2026 - 23:00 vuln.today
Analysis Generated
Apr 30, 2026 - 23:00 vuln.today
Analysis Generated
Apr 30, 2026 - 22:45 vuln.today
Patch released
Apr 30, 2026 - 22:45 nvd
Patch available
CVE Published
Apr 30, 2026 - 22:00 nvd
MEDIUM 5.5

DescriptionCVE.org

A flaw has been found in nextlevelbuilder GoClaw and GoClaw Lite up to 3.8.5. This affects an unknown function of the component RPC Handler. This manipulation causes improper authorization. The attack may be initiated remotely. The exploit has been published and may be used. Upgrading to version 3.9.0 mitigates this issue. Patch name: 406022e79f4a18b3070a446712080571eff11e30. You should upgrade the affected component.

AnalysisAI

Improper authorization in the GoClaw and GoClaw Lite RPC gateway allows unauthenticated remote attackers to invoke privileged methods including configuration exfiltration, heartbeat manipulation, and agent mutation via WebSocket connections. Versions up to 3.8.5 implement a fail-open authorization policy where unclassified RPC methods default to viewer-level access and authentication failures fall back to authenticated viewer sessions. Public exploit code exists (GitHub issue #866) demonstrating unauthorized method invocation. Vendor-released patch: version 3.9.0 implements fail-closed authorization with explicit method classification and rejects connections lacking valid credentials.

Technical ContextAI

GoClaw is a remote management platform using WebSocket RPC for client-server communication. The vulnerability resides in the gateway router's permission enforcement layer (internal/gateway/router.go and internal/permissions/policy.go). The flawed implementation has two critical defects mapped to CWE-285 (Improper Authorization): (1) the MethodRole() function returned RoleViewer for any method not explicitly classified, creating a default-permit policy where newly added or undocumented RPCs were accessible to any authenticated client; (2) the handleConnect() method had a fallback Path 4 that granted authenticated viewer status even when both token validation and pairing verification failed, allowing completely unauthenticated clients to establish sessions. The CPE identifiers cpe:2.3:a:nextlevelbuilder:goclaw and cpe:2.3:a:nextlevelbuilder:goclaw_lite confirm both product variants share the same codebase and vulnerability. The patch refactors authorization to fail-closed semantics: MethodRole() now returns RoleNone for unclassified methods (which the router rejects with PERMISSION_DENIED), isPublicMethod() and isReadMethod() whitelists replace the default-permit logic, and Path 4 connection fallback now explicitly rejects with protocol.ErrUnauthorized instead of granting viewer access.

RemediationAI

Upgrade to GoClaw version 3.9.0 or later immediately (https://github.com/nextlevelbuilder/goclaw/releases/tag/v3.9.0). The patch (commit 406022e79f4a18b3070a446712080571eff11e30, PR #950) implements fail-closed authorization and eliminates the authentication fallback. If immediate upgrade is infeasible, apply compensating controls with these trade-offs: (1) restrict WebSocket endpoint access to authenticated networks via firewall rules (mitigates remote unauthenticated vector but blocks legitimate remote users and does not prevent insider threats); (2) deploy reverse proxy with strict method filtering to block non-public RPC methods (requires maintaining allowlist synchronized with application updates, risks breaking legitimate functionality); (3) enable TLS client certificate authentication at the transport layer (strong authentication but requires certificate distribution infrastructure and may not integrate with existing SSO). Each workaround introduces operational overhead and does not address the root cause. Vendor patch is the only complete remediation. Verify patch deployment by testing that unauthenticated WebSocket connections receive ErrUnauthorized and that invoking previously-exposed methods like heartbeat.set or config.get returns PERMISSION_DENIED errors.

More in Goclaw

View all
CVE-2026-10219 MEDIUM POC
5.5 Jun 01

OS command injection in nextlevelbuilder GoClaw through version 3.11.3 allows remote attackers to execute arbitrary shel

CVE-2026-10617 MEDIUM POC
5.5 Jun 02

Missing authentication in GoClaw's Webhook Verification Handler allows unauthenticated remote attackers to interact with

CVE-2026-15626 LOW POC
2.1 Jul 14

Path traversal in GoClaw 3.13.3-beta.3 allows authenticated remote attackers to read or write files outside the intended

CVE-2026-14716 LOW POC
2.1 Jul 05

Incorrect authorization in nextlevelbuilder GoClaw's WebSocket RPC Handler allows authenticated low-privilege remote att

CVE-2026-15624 LOW POC
2.1 Jul 14

Server-side request forgery in GoClaw 3.13.3-beta.3 enables authenticated remote attackers to manipulate the `output.vid

CVE-2026-10218 LOW POC
2.1 Jun 01

Improper authorization in GoClaw (nextlevelbuilder/goclaw) up to version 3.11.3 allows a remote low-privileged attacker

CVE-2026-10217 LOW POC
2.1 Jun 01

Improper privilege management in nextlevelbuilder GoClaw up to version 3.11.3 allows authenticated low-privileged users

CVE-2026-10616 LOW POC
2.1 Jun 02

Missing authorization in nextlevelbuilder GoClaw up to version 3.11.3 allows low-privileged remote attackers to trigger

CVE-2026-15627 LOW POC
2.1 Jul 14

Information disclosure in nextlevelbuilder GoClaw up to version 3.13.3-beta.3 allows remote low-privileged attackers to

CVE-2026-15625 LOW POC
2.1 Jul 14

GoClaw 3.11.3 by nextlevelbuilder exposes an incomplete blacklist bypass in the ExecApprovalManager.CheckCommand functio

CVE-2026-10583 LOW POC
2.0 Jun 02

Server-side request forgery in nextlevelbuilder GoClaw through version 3.11.3 allows remote attackers with high-privileg

Share

CVE-2026-7505 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy