CVE-2026-14716
Received Received - Intake

Incorrect Authorization in GoClaw WebSocket RPC Handler

Vulnerability report for CVE-2026-14716, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-05

Last updated on: 2026-07-05

Assigner: VulDB

Description

A security vulnerability has been detected in nextlevelbuilder GoClaw up to 3.13.0-beta.2. Impacted is the function MethodRouter.Handle of the file internal/gateway/router.go of the component WebSocket RPC Handler. Such manipulation leads to incorrect authorization. The attack may be launched remotely. The exploit has been disclosed publicly and may be used. The project was informed of the problem early through an issue report.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-05
Last Modified
2026-07-05
Generated
2026-07-05
AI Q&A
2026-07-05
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
nextlevelbuilder goclaw to 3.13.0-beta.2 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-285 The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The vulnerability CVE-2026-14716 is an authorization bypass in the GoClaw WebSocket RPC system. It occurs because the system incorrectly authorizes API calls by relying only on a coarse operator role derived from API key scopes, rather than enforcing the original, more specific scopes.

Specifically, API keys with limited scopes, such as the 'operator.approvals' scope which should only allow approval-related actions, can improperly invoke unrelated methods that require broader permissions, like creating cron jobs. This happens because the WebSocket router authorizes RPC calls based on roles instead of the precise scopes, allowing unauthorized actions.

The root cause is the WebSocket dispatcher's failure to enforce scope-based authorization checks and instead relying solely on role-based checks, which undermines least-privilege security principles.

Impact Analysis

This vulnerability can allow an attacker with an API key that has limited permissions to perform unauthorized actions that require higher privileges. For example, an attacker could create unauthorized cron jobs or perform other operator-write actions that should be restricted.

Such unauthorized actions can lead to unintended state changes, potentially compromising the integrity and security of the system.

Because the exploit can be launched remotely and has been publicly disclosed, there is a risk of active exploitation if the system is running a vulnerable version.

Detection Guidance

This vulnerability involves an authorization bypass in GoClaw's WebSocket RPC system, where API keys with limited scopes can invoke unauthorized methods. Detection involves monitoring WebSocket RPC calls for unauthorized method invocations, especially those that should be restricted by API key scopes.

To detect exploitation attempts, you can analyze logs or capture network traffic for WebSocket connections to the GoClaw server and check if API keys with limited scopes (e.g., operator.approvals) are invoking methods that require broader permissions (e.g., cron.create).

Suggested commands include using network monitoring tools like tcpdump or Wireshark to capture WebSocket traffic, and grep or jq to filter logs for suspicious RPC method calls.

  • Use tcpdump to capture WebSocket traffic on the relevant port (e.g., 8080): tcpdump -i eth0 -w goclaw_ws.pcap port 8080
  • Analyze captured traffic with Wireshark, filtering for WebSocket frames and inspecting RPC method names.
  • Search GoClaw server logs for RPC calls with unexpected methods invoked by limited-scope API keys: grep 'rpc_call' /var/log/goclaw.log | grep -E 'cron.create|operator.write|operator.admin'
  • If logs are in JSON format, use jq to filter for suspicious method calls and API key scopes.
Mitigation Strategies

Immediate mitigation steps include restricting or disabling the use of API keys with the operator.approvals scope until a patch or fix is applied, as these keys can be exploited to perform unauthorized actions.

Review and audit all API keys and their scopes to ensure they follow the principle of least privilege.

If possible, update GoClaw to a version later than 3.13.0-beta.2 where this vulnerability is fixed.

Monitor WebSocket RPC traffic and logs for suspicious activity as described in detection steps.

Consider temporarily disabling or restricting WebSocket RPC access from untrusted networks.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-14716. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart