CVE-2026-10583
Server-Side Request Forgery in GoClaw TTS Configuration
Publication date: 2026-06-02
Last updated on: 2026-06-02
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| nextlevelbuilder | goclaw | to 3.11.3 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-918 | The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-10583 is a Server-Side Request Forgery (SSRF) vulnerability found in the GoClaw software up to version 3.11.3, specifically in the Text-to-Speech (TTS) configuration endpoint. The issue arises because the function handling the import of TTS configuration allows authenticated users with administrative privileges to store malicious API base URLs without proper validation.
When the server later attempts to use these stored URLs during TTS synthesis, it can be tricked into making unauthorized requests to internal or external endpoints, potentially exposing sensitive internal resources or cloud metadata services.
This vulnerability stems from a missing validation check in the handleSave method of the internal/http/tts_config.go file, which does not block private or sensitive IP addresses, unlike another endpoint that does perform such validation.
How can this vulnerability impact me? :
This SSRF vulnerability can allow an attacker with administrative privileges to make the server perform unauthorized network requests to internal systems or cloud metadata services.
- Exposure of internal network resources that are normally inaccessible from outside.
- Potential privilege escalation in cloud environments by accessing sensitive metadata endpoints.
- Unauthorized probing or interaction with internal services, which could lead to further exploitation.
Overall, this can compromise the confidentiality and integrity of internal systems and data.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
The vulnerability involves Server-Side Request Forgery (SSRF) through the TTS Configuration Endpoint in GoClaw, where malicious URLs can be stored and later triggered by synthesis requests.
Detection can focus on monitoring HTTP POST requests to the endpoint /v1/tts/config for suspicious or unexpected URL values in the api_base field, especially those pointing to internal or cloud metadata services.
Additionally, monitoring synthesis requests that trigger connections to stored URLs can help identify exploitation attempts.
- Use network traffic analysis tools (e.g., tcpdump, Wireshark) to capture outgoing HTTP requests from the server to unusual or internal IP addresses.
- Check logs for POST requests to /v1/tts/config containing URLs pointing to private IP ranges or cloud metadata endpoints.
- Example command to monitor network traffic for suspicious outbound HTTP requests: tcpdump -i eth0 'tcp dst port 80 or tcp dst port 443'
- Example command to search server logs for suspicious URL entries: grep -iE 'POST /v1/tts/config' /var/log/goclaw/access.log | grep -E '169.254.169.254|127.0.0.1|10\.|192\.168\.|172\.(1[6-9]|2[0-9]|3[0-1])'
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the TTS Configuration Endpoint to trusted administrators only, as the vulnerability requires authenticated users with admin privileges.
Validate and sanitize all URL inputs in the api_base field to block private IP ranges and cloud metadata service endpoints before storing them.
Apply any available patches or updates from the GoClaw project that address this SSRF vulnerability.
If patching is not immediately possible, consider disabling or restricting the TTS Configuration Endpoint functionality temporarily.
- Enforce network egress filtering to prevent the server from making HTTP requests to internal or sensitive IP ranges.
- Monitor and audit administrative actions related to TTS configuration changes.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in GoClaw allows authenticated users with administrative privileges to perform server-side request forgery (SSRF) attacks by injecting malicious URLs into the TTS configuration. This can lead to unauthorized internal network probing and potential access to sensitive internal services or cloud metadata endpoints.
Such unauthorized access and potential exposure of internal or sensitive data could negatively impact compliance with standards and regulations like GDPR and HIPAA, which require strict controls on data confidentiality, integrity, and access.
However, the provided information does not explicitly discuss compliance impacts or mitigation measures related to these regulations.