CVE-2026-10219
Command Injection in GoClaw File System Tool
Publication date: 2026-06-01
Last updated on: 2026-06-01
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| nextlevelbuilder | goclaw | to 3.11.3 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-77 | The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. |
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include updating goclaw to a version that contains the fix for CVE-2026-10219, where the vulnerable shell invocation is removed and replaced with a safer method using the tee command with discrete arguments.
If updating is not immediately possible, restrict or disable sandbox mode in goclaw to prevent remote exploitation, and implement input validation to block filenames containing shell metacharacters.
Additionally, monitor your system for signs of exploitation and apply principle of least privilege to limit the impact of any potential compromise.
Can you explain this vulnerability to me?
CVE-2026-10219 is an OS command injection vulnerability found in the FsBridge.WriteFile function of the nextlevelbuilder GoClaw project up to version 3.11.3. The issue occurs because user-controlled file paths are injected into a shell command without proper escaping of Bash metacharacters. This allows an attacker to execute arbitrary operating system commands remotely by manipulating the file path input, exploiting shell command substitution.
The vulnerability arises specifically when the function uses the shell to write files, interpreting special characters in filenames as commands. For example, a filename like notes/$(touch /tmp/pwned).txt would cause the shell to execute the touch command before writing the file. The sandbox environment runs with root privileges, increasing the severity of the impact.
How can this vulnerability impact me? :
This vulnerability can have serious impacts including arbitrary command execution on the affected system with root privileges. An attacker can exploit this to steal sensitive data, perform lateral movement within the network, escalate privileges, or execute other malicious commands remotely.
Because the exploit can be triggered remotely and the sandbox runs as root, the attacker gains significant control over the system, potentially compromising the entire environment where GoClaw is deployed.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking for suspicious file path inputs that include shell metacharacters, such as command substitution patterns like $(command). For example, an attacker might use a filename like notes/$(touch /tmp/pwned).txt to trigger command injection.
To detect exploitation attempts on your system, you can monitor for unexpected files like /tmp/pwned created by such commands or look for unusual shell command executions triggered by the goclaw process.
Suggested commands to detect potential exploitation include:
- Check for suspicious files created by command injection attempts: `ls -l /tmp/pwned`
- Monitor running processes for unexpected commands spawned by goclaw: `ps aux | grep goclaw`
- Search logs for suspicious filenames containing shell metacharacters: `grep -E '\$\(|\`' /var/log/*`
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows remote OS command injection with root privileges, enabling attackers to execute arbitrary commands, steal sensitive data, and escalate privileges.
Such unauthorized access and potential data breaches could lead to non-compliance with data protection regulations like GDPR and HIPAA, which require safeguarding sensitive information and ensuring system integrity.
Therefore, exploitation of this vulnerability could compromise confidentiality, integrity, and availability of data, impacting compliance with these common standards.