Executive Summary

CVE-2026-10218 is an authorization bypass vulnerability in the GoClaw software up to version 3.11.3. It specifically affects the PATCH /v1/agents/{agentID}/evolution/suggestions/{suggestionID} endpoint.

The flaw allows users with low privileges, such as Viewer-level tenant members, to approve, reject, or modify system-generated Evolution Suggestions without proper authorization.

The root cause is an insecure default behavior in the access control middleware where an empty role requirement dynamically resolves to a higher privilege role (RoleOperator), and the Gateway Token mechanism further elevates any valid token to RoleAdmin, bypassing intended role checks.

This vulnerability is classified under improper authorization and privilege management weaknesses.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to unauthorized administrative actions by low-privilege users.

Attackers can manipulate Evolution Suggestions that control tenant configurations, such as disabling built-in tools or modifying agent behaviors.

Such actions can cause denial of service (DoS) for core system features, potential data loss, and disruption of core logic.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability affects the PATCH /v1/agents/{agentID}/evolution/suggestions/{suggestionID} endpoint in GoClaw up to version 3.11.3. Detection involves monitoring or testing unauthorized privilege escalation attempts on this endpoint.

You can attempt to detect the vulnerability by sending PATCH requests to the affected endpoint using a low-privilege token (e.g., Viewer-level) and checking if unauthorized modifications are allowed.

Example command using curl to test unauthorized access:

• curl -X PATCH https://your-goclaw-instance/v1/agents/{agentID}/evolution/suggestions/{suggestionID} -H "Authorization: Bearer <low-privilege-token>" -d '{"someField":"someValue"}' -v

If the request succeeds in modifying or approving suggestions without proper authorization, the system is vulnerable.

Useful 0 Not Useful 0

Mitigation Strategies

The vulnerability has been patched in versions of GoClaw later than 3.11.3. The immediate mitigation step is to upgrade GoClaw to the latest version where this issue is fixed.

Until an upgrade is possible, restrict access to the vulnerable PATCH endpoint to trusted administrators only, and monitor for suspicious activity involving Evolution Suggestions.

Review and tighten access control middleware configurations to ensure that role requirements are properly enforced and that tokens do not automatically elevate privileges.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability in GoClaw allows unauthorized users to perform administrative actions such as approving, rejecting, or modifying system-generated Evolution Suggestions that control tenant configurations and agent behaviors. This improper authorization can lead to denial of service, data loss, and disruption of core system features.

Such unauthorized access and potential data manipulation could negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require strict access controls and protection of sensitive data. Improper authorization increases the risk of unauthorized data exposure or modification, which may violate these regulatory requirements.

Useful 0 Not Useful 0