CVE-2026-10218
Improper Authorization in GoClaw up to 3.11.3
Publication date: 2026-06-01
Last updated on: 2026-06-01
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| nextlevelbuilder | goclaw | to 3.11.3 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-285 | The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action. |
| CWE-266 | A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-10218 is an authorization bypass vulnerability in the GoClaw software up to version 3.11.3. It specifically affects the PATCH /v1/agents/{agentID}/evolution/suggestions/{suggestionID} endpoint.
The flaw allows users with low privileges, such as Viewer-level tenant members, to approve, reject, or modify system-generated Evolution Suggestions without proper authorization.
The root cause is an insecure default behavior in the access control middleware where an empty role requirement dynamically resolves to a higher privilege role (RoleOperator), and the Gateway Token mechanism further elevates any valid token to RoleAdmin, bypassing intended role checks.
This vulnerability is classified under improper authorization and privilege management weaknesses.
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized administrative actions by low-privilege users.
Attackers can manipulate Evolution Suggestions that control tenant configurations, such as disabling built-in tools or modifying agent behaviors.
Such actions can cause denial of service (DoS) for core system features, potential data loss, and disruption of core logic.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability affects the PATCH /v1/agents/{agentID}/evolution/suggestions/{suggestionID} endpoint in GoClaw up to version 3.11.3. Detection involves monitoring or testing unauthorized privilege escalation attempts on this endpoint.
You can attempt to detect the vulnerability by sending PATCH requests to the affected endpoint using a low-privilege token (e.g., Viewer-level) and checking if unauthorized modifications are allowed.
Example command using curl to test unauthorized access:
- curl -X PATCH https://your-goclaw-instance/v1/agents/{agentID}/evolution/suggestions/{suggestionID} -H "Authorization: Bearer <low-privilege-token>" -d '{"someField":"someValue"}' -v
If the request succeeds in modifying or approving suggestions without proper authorization, the system is vulnerable.
What immediate steps should I take to mitigate this vulnerability?
The vulnerability has been patched in versions of GoClaw later than 3.11.3. The immediate mitigation step is to upgrade GoClaw to the latest version where this issue is fixed.
Until an upgrade is possible, restrict access to the vulnerable PATCH endpoint to trusted administrators only, and monitor for suspicious activity involving Evolution Suggestions.
Review and tighten access control middleware configurations to ensure that role requirements are properly enforced and that tokens do not automatically elevate privileges.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in GoClaw allows unauthorized users to perform administrative actions such as approving, rejecting, or modifying system-generated Evolution Suggestions that control tenant configurations and agent behaviors. This improper authorization can lead to denial of service, data loss, and disruption of core system features.
Such unauthorized access and potential data manipulation could negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require strict access controls and protection of sensitive data. Improper authorization increases the risk of unauthorized data exposure or modification, which may violate these regulatory requirements.