CVE-2026-16119
Received Received - Intake

Incorrect Authorization in GoClaw WebSocket Approval Endpoint

Vulnerability report for CVE-2026-16119, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-18

Last updated on: 2026-07-18

Assigner: VulDB

Description

A vulnerability was found in nextlevelbuilder GoClaw up to 3.13.2. This affects the function RequestApproval of the file internal/tools/exec_approval.go of the component WebSocket Approval Endpoint. Performing a manipulation results in incorrect authorization. The attack is possible to be carried out remotely. The exploit has been made public and could be used.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-18
Last Modified
2026-07-18
Generated
2026-07-18
AI Q&A
2026-07-18
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
nextlevelbuilder goclaw to 3.13.2 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
CWE-285 The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability is an authorization bypass in GoClaw up to version 3.13.2. It affects the RequestApproval function in the WebSocket Approval Endpoint. The flaw allows remote attackers to bypass intended approval restrictions by manipulating commands. The exploit has been publicly disclosed and is remotely exploitable.

Detection Guidance

Check GoClaw logs for unauthorized WebSocket approval requests or suspicious command executions. Monitor for repeated approvals of BusyBox commands without fresh user input. Inspect the exec approval cache for entries with only basenames like 'busybox' instead of full commands.

Impact Analysis

An attacker could exploit this to execute arbitrary commands on the host system with GoClaw's privileges. This could lead to unauthorized file access, data tampering, credential theft, or further system compromise. The impact depends on GoClaw's deployment and permissions.

Compliance Impact

This vulnerability allows unauthorized command execution with host privileges, which could lead to data breaches, unauthorized access to sensitive information, or manipulation of stored data. For GDPR, this could result in violations of data integrity and confidentiality requirements. For HIPAA, it may compromise protected health information integrity and availability.

Mitigation Strategies

Upgrade GoClaw to a version beyond 3.13.2. Disable the 'allow-always' approval feature in the exec approval cache. Review and remove any existing allowlist entries that only contain basenames like 'busybox'. Monitor for unauthorized command executions.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-16119. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart