Skip to main content

GoClaw EUVDEUVD-2026-43615

| CVE-2026-15626 LOW
Path Traversal (CWE-22)
2026-07-14 VulDB GHSA-wf8r-mxfr-xh87
2.1
CVSS 4.0 · Vendor: VulDB

Severity by source

Vendor (VulDB) PRIMARY
2.1 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
6.3 MEDIUM

Network-accessible path traversal requiring low-privilege authentication; no scope change; partial confidentiality, integrity, and availability impact from arbitrary file read/write.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (VulDB).

CVSS VectorVendor: VulDB

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

4
Severity Changed
Jul 14, 2026 - 04:22 NVD
MEDIUM LOW
CVSS changed
Jul 14, 2026 - 04:22 NVD
5.3 (MEDIUM) 2.1 (LOW)
Analysis Generated
Jul 14, 2026 - 03:46 vuln.today
CVE Published
Jul 14, 2026 - 02:15 cve.org
MEDIUM 5.3

DescriptionCVE.org

A vulnerability was determined in nextlevelbuilder GoClaw 3.13.3-beta.3. This affects the function writeFile of the file internal/providers/acp/tool_bridge.go of the component ACP ToolBridge Workspace Handler. This manipulation causes path traversal. The attack is possible to be carried out remotely. The exploit has been publicly disclosed and may be utilized.

AnalysisAI

Path traversal in GoClaw 3.13.3-beta.3 allows authenticated remote attackers to read or write files outside the intended workspace directory by manipulating the path argument to the writeFile function in the ACP ToolBridge Workspace Handler (internal/providers/acp/tool_bridge.go). A proof-of-concept exploit has been publicly disclosed via a GitHub issue, lowering the bar for exploitation. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain low-privilege credentials
Delivery
Authenticate to GoClaw ACP ToolBridge
Exploit
Submit crafted file path with traversal sequences
Execution
writeFile writes attacker content to arbitrary filesystem path
Impact
Leverage written file for persistence or privilege escalation

Vulnerability AssessmentAI

Exploitation Exploitation requires the attacker to hold low-privilege authenticated credentials on the GoClaw instance, as confirmed by PR:L in the CVSS 4.0 vector - unauthenticated access is not sufficient. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P) indicates a network-accessible, low-complexity attack with low-privilege authentication required and partial impact across confidentiality, integrity, and availability - no scope change to subsequent systems. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with low-privilege authenticated access to a GoClaw deployment crafts a file write request to the ACP ToolBridge Workspace Handler, supplying a path such as `../../etc/cron.d/backdoor` as the target for `writeFile`. The function does not canonicalize or restrict the path, allowing the write to land outside the workspace root. …
Remediation No confirmed patched release version is identified in the available data - the vulnerability was reported via GitHub issue https://github.com/nextlevelbuilder/goclaw/issues/1201 and the fix status must be verified directly against the upstream repository at https://github.com/nextlevelbuilder/goclaw/. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Goclaw

View all
CVE-2026-10219 MEDIUM POC
5.5 Jun 01

OS command injection in nextlevelbuilder GoClaw through version 3.11.3 allows remote attackers to execute arbitrary shel

CVE-2026-10617 MEDIUM POC
5.5 Jun 02

Missing authentication in GoClaw's Webhook Verification Handler allows unauthenticated remote attackers to interact with

CVE-2026-7505 MEDIUM POC
5.5 Apr 30

Improper authorization in the GoClaw and GoClaw Lite RPC gateway allows unauthenticated remote attackers to invoke privi

CVE-2026-14716 LOW POC
2.1 Jul 05

Incorrect authorization in nextlevelbuilder GoClaw's WebSocket RPC Handler allows authenticated low-privilege remote att

CVE-2026-15624 LOW POC
2.1 Jul 14

Server-side request forgery in GoClaw 3.13.3-beta.3 enables authenticated remote attackers to manipulate the `output.vid

CVE-2026-10218 LOW POC
2.1 Jun 01

Improper authorization in GoClaw (nextlevelbuilder/goclaw) up to version 3.11.3 allows a remote low-privileged attacker

CVE-2026-10217 LOW POC
2.1 Jun 01

Improper privilege management in nextlevelbuilder GoClaw up to version 3.11.3 allows authenticated low-privileged users

CVE-2026-10616 LOW POC
2.1 Jun 02

Missing authorization in nextlevelbuilder GoClaw up to version 3.11.3 allows low-privileged remote attackers to trigger

CVE-2026-15627 LOW POC
2.1 Jul 14

Information disclosure in nextlevelbuilder GoClaw up to version 3.13.3-beta.3 allows remote low-privileged attackers to

CVE-2026-15625 LOW POC
2.1 Jul 14

GoClaw 3.11.3 by nextlevelbuilder exposes an incomplete blacklist bypass in the ExecApprovalManager.CheckCommand functio

CVE-2026-10583 LOW POC
2.0 Jun 02

Server-side request forgery in nextlevelbuilder GoClaw through version 3.11.3 allows remote attackers with high-privileg

Share

EUVD-2026-43615 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy