CVE-2026-16120
Received Received - Intake

Path Traversal in GoClaw Software

Vulnerability report for CVE-2026-16120, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-18

Last updated on: 2026-07-18

Assigner: VulDB

Description

A vulnerability was determined in nextlevelbuilder GoClaw up to 3.13.3-beta.3. This impacts the function matchesAllowlist/extractBin of the file internal/tools/exec_approval.go. Executing a manipulation can lead to incorrectly-resolved name. The attack may be performed from remote. The exploit has been publicly disclosed and may be utilized.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-18
Last Modified
2026-07-18
Generated
2026-07-18
AI Q&A
2026-07-18
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
nextlevelbuilder goclaw to 3.13.3-beta.3 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-706 The product uses a name or reference to access a resource, but the name/reference resolves to a resource that is outside of the intended control sphere.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-16120 is a vulnerability in GoClaw, a command execution tool, that allows authenticated operators with operator privileges to bypass command approval restrictions. The issue occurs when the exec approval system uses a basename-based allowlist (e.g., allowing 'echo') but the actual command execution runs the full command string (e.g., './echo'). An attacker can place a malicious binary with the same name as an allowed command in a workspace directory. When the operator invokes the command via the HTTP endpoint POST /v1/tools/invoke with the workspace set to the attacker-controlled directory, the approval layer approves the basename 'echo,' but the host executes the malicious './echo' binary instead. This bypasses security controls, allowing arbitrary command execution on the host system with the privileges of the GoClaw process.

The vulnerability affects GoClaw versions up to 3.13.3-beta.3 and has been assigned a high severity score (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). The root cause is the mismatch between the approval logic, which checks only the basename, and the execution logic, which runs the full command string.

Detection Guidance

Check GoClaw versions up to 3.13.3-beta.3 for the vulnerability. Inspect command approval logs for mismatches between allowed basenames and executed full commands. Look for unauthorized binary placements in workspace directories.

Impact Analysis

This vulnerability allows attackers with operator privileges to execute arbitrary commands on the host system where GoClaw is running. This could lead to unauthorized access, data theft, system compromise, or disruption of services. Attackers could install malware, escalate privileges, or pivot to other systems within the network.

Compliance Impact

This vulnerability could lead to unauthorized access or data breaches, which may violate compliance requirements under GDPR (e.g., unauthorized data processing, lack of access controls) and HIPAA (e.g., unauthorized access to protected health information). Organizations using GoClaw may face legal penalties, reputational damage, and loss of trust due to non-compliance with these regulations.

Mitigation Strategies

Upgrade GoClaw to a version beyond 3.13.3-beta.3. Implement strict path validation in command approval logic to match full command strings, not just basenames. Restrict workspace directory permissions to prevent unauthorized binary placement.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-16120. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart