Skip to main content

GoClaw EUVD-2026-34009

| CVE-2026-10617 MEDIUM
Missing Authentication for Critical Function (CWE-306)
2026-06-02 VulDB GHSA-m4rx-8cqf-h494
Authentication Bypass Goclaw
5.5
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
Analysis Generated
Jun 02, 2026 - 20:24 vuln.today
Severity Changed
Jun 02, 2026 - 20:22 NVD
HIGH MEDIUM
CVSS changed
Jun 02, 2026 - 20:22 NVD
7.3 (HIGH) 5.5 (MEDIUM)

DescriptionCVE.org

A security vulnerability has been detected in nextlevelbuilder GoClaw up to 3.11.3. This affects the function resolveAuth of the file internal/http/auth.go of the component Webhook Verification Handler. The manipulation leads to missing authentication. Remote exploitation of the attack is possible. The exploit has been disclosed publicly and may be used. The project tagged the reported issue as bug.

AnalysisAI

Missing authentication in GoClaw's Webhook Verification Handler allows unauthenticated remote attackers to interact with webhook endpoints without valid credentials, affecting all versions up to and including 3.11.3. The flaw resides in the resolveAuth function within internal/http/auth.go, where the authentication check can be bypassed entirely. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify internet-facing GoClaw webhook endpoint
Delivery
Send unauthenticated HTTP request to webhook handler
Exploit
Bypass resolveAuth authentication check (CWE-306)
Execution
Inject arbitrary webhook payload
Impact
Trigger unintended backend processing logic
Sign in to reveal

Vulnerability AssessmentAI

Exploitation The Webhook Verification Handler must be enabled and reachable - specifically, the `resolveAuth` function in `internal/http/auth.go` must be in the request processing path for webhook endpoints. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) indicates network-accessible exploitation with low complexity, no attack prerequisites, no privileges required, and no user interaction - placing this in the easiest possible exploitation category. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An external attacker identifies a GoClaw instance with its webhook endpoint exposed to the network (or internet), sends a crafted HTTP request directly to the webhook verification handler, and bypasses the `resolveAuth` authentication check due to the CWE-306 flaw - gaining the ability to submit unauthenticated webhook payloads that trigger backend processing logic. A proof-of-concept demonstrating this bypass has been publicly disclosed via GitHub issue #1134, lowering the skill bar required to attempt exploitation. …
Remediation No vendor-released patched version has been confirmed at time of analysis; the maintainer has tagged the report as a bug (GitHub issue #1134), but no fix release is identified in the available data. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-34009 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy