Executive Summary

CVE-2026-10617 is a critical security vulnerability in the GoClaw software up to version 3.11.3. It affects the authentication mechanism in the resolveAuth function of the Webhook Verification Handler component. Specifically, if certain security secrets like the GOCLAW_GATEWAY_TOKEN or webhook verification tokens are not configured, the system fails open and grants unauthorized access.

This means that unauthenticated remote users can gain administrative privileges and invoke sensitive endpoints without proper authentication. Additionally, webhook handlers may accept forged webhook payloads if their verification secrets are missing, allowing attackers to trigger unauthorized actions.

Useful 0 Not Useful 0

Impact Analysis

Exploitation of this vulnerability can lead to full administrative control over the affected GoClaw instance. Attackers can execute unauthorized tools, perform file operations, change configurations, and potentially compromise the entire system.

Additionally, attackers can send forged webhook payloads that are processed as legitimate events, leading to spoofed message processing and unauthorized actions within the system.

• Unauthorized tool execution
• File access and modification
• Configuration changes
• Complete system compromise
• Spoofed webhook event processing

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by checking if the environment variable GOCLAW_GATEWAY_TOKEN is unset or empty, which causes the authentication resolver to grant admin privileges without proper authentication.

Additionally, detection involves verifying whether webhook verification secrets such as verificationToken or webhookSecret are configured. If these are missing, webhook handlers skip signature or token verification, allowing forged webhook payloads.

Network detection can include monitoring for unauthorized HTTP requests to privileged endpoints like /v1/tools/invoke and /v1/mcp/servers that return HTTP 200 responses without proper authentication.

• Check environment variable: `echo $GOCLAW_GATEWAY_TOKEN` to see if it is set.
• Inspect GoClaw configuration files or environment for missing webhook secrets: search for empty or missing verificationToken or webhookSecret.
• Use curl or similar tools to test access to privileged endpoints without authentication, for example: `curl -i http://<goclaw-host>:<port>/v1/tools/invoke` and check if HTTP 200 is returned.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include setting the GOCLAW_GATEWAY_TOKEN environment variable to a strong secret value to ensure that HTTP authentication does not default to granting admin privileges.

Configure all webhook channels with their respective verification secrets, such as verificationToken or webhookSecret, to enforce signature or token verification and prevent forged webhook payloads.

Restrict network exposure of the GoClaw HTTP listener to trusted networks or use firewall rules to limit access only to authorized clients.

Review and audit logs for any unauthorized access attempts or suspicious webhook events to detect potential exploitation.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability in GoClaw allows unauthenticated remote users to gain administrative access and execute privileged operations, potentially leading to unauthorized data access, modification, and system compromise.

Such unauthorized access and data manipulation can result in violations of common compliance standards and regulations like GDPR and HIPAA, which require strict controls over data confidentiality, integrity, and access.

Specifically, the risk of data leaks, arbitrary file access, and command execution could lead to breaches of personal or sensitive data, undermining regulatory requirements for protecting user information and maintaining auditability.

Useful 0 Not Useful 0