Skip to main content

GoClaw EUVD-2026-33879

| CVE-2026-10583 LOW
Server-Side Request Forgery (SSRF) (CWE-918)
2026-06-02 VulDB GHSA-376c-9hgg-2xx6
SSRF Goclaw
2.0
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
2.0 LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
X

Lifecycle Timeline

3
Severity Changed
Jun 02, 2026 - 04:22 NVD
MEDIUM LOW
CVSS changed
Jun 02, 2026 - 04:22 NVD
4.7 (MEDIUM) 2.0 (LOW)
Analysis Generated
Jun 02, 2026 - 04:15 vuln.today

DescriptionCVE.org

A security vulnerability has been detected in nextlevelbuilder GoClaw up to 3.11.3. Affected by this issue is the function Import of the file internal/http/tts_config.go of the component TTS Configuration Endpoint. The manipulation leads to server-side request forgery. It is possible to initiate the attack remotely. The exploit has been disclosed publicly and may be used. The project tagged the reported issue as bug.

AnalysisAI

Server-side request forgery in nextlevelbuilder GoClaw through version 3.11.3 allows remote attackers with high-privilege credentials to manipulate the TTS Configuration Import function into issuing arbitrary server-side HTTP requests to unintended destinations. The vulnerable code path is the Import function within internal/http/tts_config.go, reachable over the network without user interaction once an administrative session is established. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain high-privilege GoClaw credentials
Delivery
Authenticate to GoClaw admin interface
Exploit
Submit crafted URL to TTS Configuration Import endpoint
Execution
Server-side HTTP request issued to attacker-controlled destination
Persist
Retrieve response from internal resource or metadata service
Impact
Exfiltrate cloud credentials or enumerate internal network topology
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires the attacker to hold a high-privilege account within GoClaw - this is explicitly an authenticated attack (PR:H per CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 base score of 4.7 (Medium) reflects a genuine but constrained threat profile. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with compromised administrative credentials for a GoClaw instance submits a crafted POST or import request to the TTS Configuration endpoint, supplying a URL pointing to the cloud instance metadata service (e.g., http://169.254.169.254/latest/meta-data/iam/security-credentials/) or an internal REST API endpoint not otherwise reachable from the internet. The GoClaw server fetches the attacker-supplied URL and returns or logs the response, enabling the attacker to harvest cloud IAM credentials, enumerate internal services, or pivot further into the backend network. …
Remediation No vendor-released patch has been confirmed at time of analysis (CVSS temporal RL:X - remediation level unknown). … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-33879 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy