CVE-2026-10617
Missing Authentication in GoClaw Webhook Verification
Publication date: 2026-06-02
Last updated on: 2026-06-02
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| nextlevelbuilder | goclaw | to 3.11.3 (inc) |
| nextlevelbuilder | goclaw | From 2.8.1 (inc) to 3.11.3 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-306 | The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources. |
| CWE-287 | When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-10617 is a critical security vulnerability in the GoClaw software up to version 3.11.3. It affects the authentication mechanism in the resolveAuth function of the Webhook Verification Handler component. Specifically, if certain security secrets like the GOCLAW_GATEWAY_TOKEN or webhook verification tokens are not configured, the system fails open and grants unauthorized access.
This means that unauthenticated remote users can gain administrative privileges and invoke sensitive endpoints without proper authentication. Additionally, webhook handlers may accept forged webhook payloads if their verification secrets are missing, allowing attackers to trigger unauthorized actions.
How can this vulnerability impact me? :
Exploitation of this vulnerability can lead to full administrative control over the affected GoClaw instance. Attackers can execute unauthorized tools, perform file operations, change configurations, and potentially compromise the entire system.
Additionally, attackers can send forged webhook payloads that are processed as legitimate events, leading to spoofed message processing and unauthorized actions within the system.
- Unauthorized tool execution
- File access and modification
- Configuration changes
- Complete system compromise
- Spoofed webhook event processing
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if the environment variable GOCLAW_GATEWAY_TOKEN is unset or empty, which causes the authentication resolver to grant admin privileges without proper authentication.
Additionally, detection involves verifying whether webhook verification secrets such as verificationToken or webhookSecret are configured. If these are missing, webhook handlers skip signature or token verification, allowing forged webhook payloads.
Network detection can include monitoring for unauthorized HTTP requests to privileged endpoints like /v1/tools/invoke and /v1/mcp/servers that return HTTP 200 responses without proper authentication.
- Check environment variable: `echo $GOCLAW_GATEWAY_TOKEN` to see if it is set.
- Inspect GoClaw configuration files or environment for missing webhook secrets: search for empty or missing verificationToken or webhookSecret.
- Use curl or similar tools to test access to privileged endpoints without authentication, for example: `curl -i http://<goclaw-host>:<port>/v1/tools/invoke` and check if HTTP 200 is returned.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include setting the GOCLAW_GATEWAY_TOKEN environment variable to a strong secret value to ensure that HTTP authentication does not default to granting admin privileges.
Configure all webhook channels with their respective verification secrets, such as verificationToken or webhookSecret, to enforce signature or token verification and prevent forged webhook payloads.
Restrict network exposure of the GoClaw HTTP listener to trusted networks or use firewall rules to limit access only to authorized clients.
Review and audit logs for any unauthorized access attempts or suspicious webhook events to detect potential exploitation.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in GoClaw allows unauthenticated remote users to gain administrative access and execute privileged operations, potentially leading to unauthorized data access, modification, and system compromise.
Such unauthorized access and data manipulation can result in violations of common compliance standards and regulations like GDPR and HIPAA, which require strict controls over data confidentiality, integrity, and access.
Specifically, the risk of data leaks, arbitrary file access, and command execution could lead to breaches of personal or sensitive data, undermining regulatory requirements for protecting user information and maintaining auditability.