CVE-2026-10219
Deferred Deferred - Pending Action
Command Injection in GoClaw File System Tool

Publication date: 2026-06-01

Last updated on: 2026-06-01

Assigner: VulDB

Description
A vulnerability was found in nextlevelbuilder GoClaw up to 3.11.3. This impacts the function FsBridge.WriteFile of the file internal/sandbox/fsbridge.go of the component write_file Tool. Performing a manipulation results in os command injection. The attack is possible to be carried out remotely. The exploit has been made public and could be used. The pull request to fix this issue awaits acceptance.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-01
Last Modified
2026-06-01
Generated
2026-06-21
AI Q&A
2026-06-01
EPSS Evaluated
2026-06-20
NVD
CVE-2026-10219
EUVD
EUVD-2026-33540
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
nextlevelbuilder goclaw to 3.11.3 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
CWE-77 The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Mitigation Strategies

Immediate mitigation steps include updating goclaw to a version that contains the fix for CVE-2026-10219, where the vulnerable shell invocation is removed and replaced with a safer method using the tee command with discrete arguments.

If updating is not immediately possible, restrict or disable sandbox mode in goclaw to prevent remote exploitation, and implement input validation to block filenames containing shell metacharacters.

Additionally, monitor your system for signs of exploitation and apply principle of least privilege to limit the impact of any potential compromise.

Executive Summary

CVE-2026-10219 is an OS command injection vulnerability found in the FsBridge.WriteFile function of the nextlevelbuilder GoClaw project up to version 3.11.3. The issue occurs because user-controlled file paths are injected into a shell command without proper escaping of Bash metacharacters. This allows an attacker to execute arbitrary operating system commands remotely by manipulating the file path input, exploiting shell command substitution.

The vulnerability arises specifically when the function uses the shell to write files, interpreting special characters in filenames as commands. For example, a filename like notes/$(touch /tmp/pwned).txt would cause the shell to execute the touch command before writing the file. The sandbox environment runs with root privileges, increasing the severity of the impact.

Impact Analysis

This vulnerability can have serious impacts including arbitrary command execution on the affected system with root privileges. An attacker can exploit this to steal sensitive data, perform lateral movement within the network, escalate privileges, or execute other malicious commands remotely.

Because the exploit can be triggered remotely and the sandbox runs as root, the attacker gains significant control over the system, potentially compromising the entire environment where GoClaw is deployed.

Detection Guidance

This vulnerability can be detected by checking for suspicious file path inputs that include shell metacharacters, such as command substitution patterns like $(command). For example, an attacker might use a filename like notes/$(touch /tmp/pwned).txt to trigger command injection.

To detect exploitation attempts on your system, you can monitor for unexpected files like /tmp/pwned created by such commands or look for unusual shell command executions triggered by the goclaw process.

Suggested commands to detect potential exploitation include:

  • Check for suspicious files created by command injection attempts: `ls -l /tmp/pwned`
  • Monitor running processes for unexpected commands spawned by goclaw: `ps aux | grep goclaw`
  • Search logs for suspicious filenames containing shell metacharacters: `grep -E '\$\(|\`' /var/log/*`
Compliance Impact

The vulnerability allows remote OS command injection with root privileges, enabling attackers to execute arbitrary commands, steal sensitive data, and escalate privileges.

Such unauthorized access and potential data breaches could lead to non-compliance with data protection regulations like GDPR and HIPAA, which require safeguarding sensitive information and ensuring system integrity.

Therefore, exploitation of this vulnerability could compromise confidentiality, integrity, and availability of data, impacting compliance with these common standards.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-10219. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart