Skip to main content

Goclaw Lite

1 CVEs product

Monthly

CVE-2026-7505 MEDIUM POC PATCH This Month

Improper authorization in the GoClaw and GoClaw Lite RPC gateway allows unauthenticated remote attackers to invoke privileged methods including configuration exfiltration, heartbeat manipulation, and agent mutation via WebSocket connections. Versions up to 3.8.5 implement a fail-open authorization policy where unclassified RPC methods default to viewer-level access and authentication failures fall back to authenticated viewer sessions. Public exploit code exists (GitHub issue #866) demonstrating unauthorized method invocation. Vendor-released patch: version 3.9.0 implements fail-closed authorization with explicit method classification and rejects connections lacking valid credentials.

Authentication Bypass Goclaw Goclaw Lite
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
EPSS 0% CVSS 5.5
MEDIUM POC PATCH This Month

Improper authorization in the GoClaw and GoClaw Lite RPC gateway allows unauthenticated remote attackers to invoke privileged methods including configuration exfiltration, heartbeat manipulation, and agent mutation via WebSocket connections. Versions up to 3.8.5 implement a fail-open authorization policy where unclassified RPC methods default to viewer-level access and authentication failures fall back to authenticated viewer sessions. Public exploit code exists (GitHub issue #866) demonstrating unauthorized method invocation. Vendor-released patch: version 3.9.0 implements fail-closed authorization with explicit method classification and rejects connections lacking valid credentials.

Authentication Bypass Goclaw Goclaw Lite
NVD VulDB GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy