CVE-2026-10583
Deferred Deferred - Pending Action
Server-Side Request Forgery in GoClaw TTS Configuration

Publication date: 2026-06-02

Last updated on: 2026-06-02

Assigner: VulDB

Description
A security vulnerability has been detected in nextlevelbuilder GoClaw up to 3.11.3. Affected by this issue is the function Import of the file internal/http/tts_config.go of the component TTS Configuration Endpoint. The manipulation leads to server-side request forgery. It is possible to initiate the attack remotely. The exploit has been disclosed publicly and may be used. The project tagged the reported issue as bug.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-02
Last Modified
2026-06-02
Generated
2026-06-22
AI Q&A
2026-06-02
EPSS Evaluated
2026-06-21
NVD
CVE-2026-10583
EUVD
EUVD-2026-33879
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
nextlevelbuilder goclaw to 3.11.3 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-10583 is a Server-Side Request Forgery (SSRF) vulnerability found in the GoClaw software up to version 3.11.3, specifically in the Text-to-Speech (TTS) configuration endpoint. The issue arises because the function handling the import of TTS configuration allows authenticated users with administrative privileges to store malicious API base URLs without proper validation.

When the server later attempts to use these stored URLs during TTS synthesis, it can be tricked into making unauthorized requests to internal or external endpoints, potentially exposing sensitive internal resources or cloud metadata services.

This vulnerability stems from a missing validation check in the handleSave method of the internal/http/tts_config.go file, which does not block private or sensitive IP addresses, unlike another endpoint that does perform such validation.

Impact Analysis

This SSRF vulnerability can allow an attacker with administrative privileges to make the server perform unauthorized network requests to internal systems or cloud metadata services.

  • Exposure of internal network resources that are normally inaccessible from outside.
  • Potential privilege escalation in cloud environments by accessing sensitive metadata endpoints.
  • Unauthorized probing or interaction with internal services, which could lead to further exploitation.

Overall, this can compromise the confidentiality and integrity of internal systems and data.

Detection Guidance

The vulnerability involves Server-Side Request Forgery (SSRF) through the TTS Configuration Endpoint in GoClaw, where malicious URLs can be stored and later triggered by synthesis requests.

Detection can focus on monitoring HTTP POST requests to the endpoint /v1/tts/config for suspicious or unexpected URL values in the api_base field, especially those pointing to internal or cloud metadata services.

Additionally, monitoring synthesis requests that trigger connections to stored URLs can help identify exploitation attempts.

  • Use network traffic analysis tools (e.g., tcpdump, Wireshark) to capture outgoing HTTP requests from the server to unusual or internal IP addresses.
  • Check logs for POST requests to /v1/tts/config containing URLs pointing to private IP ranges or cloud metadata endpoints.
  • Example command to monitor network traffic for suspicious outbound HTTP requests: tcpdump -i eth0 'tcp dst port 80 or tcp dst port 443'
  • Example command to search server logs for suspicious URL entries: grep -iE 'POST /v1/tts/config' /var/log/goclaw/access.log | grep -E '169.254.169.254|127.0.0.1|10\.|192\.168\.|172\.(1[6-9]|2[0-9]|3[0-1])'
Mitigation Strategies

Immediate mitigation steps include restricting access to the TTS Configuration Endpoint to trusted administrators only, as the vulnerability requires authenticated users with admin privileges.

Validate and sanitize all URL inputs in the api_base field to block private IP ranges and cloud metadata service endpoints before storing them.

Apply any available patches or updates from the GoClaw project that address this SSRF vulnerability.

If patching is not immediately possible, consider disabling or restricting the TTS Configuration Endpoint functionality temporarily.

  • Enforce network egress filtering to prevent the server from making HTTP requests to internal or sensitive IP ranges.
  • Monitor and audit administrative actions related to TTS configuration changes.
Compliance Impact

The vulnerability in GoClaw allows authenticated users with administrative privileges to perform server-side request forgery (SSRF) attacks by injecting malicious URLs into the TTS configuration. This can lead to unauthorized internal network probing and potential access to sensitive internal services or cloud metadata endpoints.

Such unauthorized access and potential exposure of internal or sensitive data could negatively impact compliance with standards and regulations like GDPR and HIPAA, which require strict controls on data confidentiality, integrity, and access.

However, the provided information does not explicitly discuss compliance impacts or mitigation measures related to these regulations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-10583. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart