CVE-2026-16121
Received Received - Intake

Improper Authorization in GoClaw via isSafeBin Function

Vulnerability report for CVE-2026-16121, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-18

Last updated on: 2026-07-18

Assigner: VulDB

Description

A vulnerability was identified in nextlevelbuilder GoClaw up to 3.13.2. Affected is the function isSafeBin of the file internal/tools/exec_approval.go. The manipulation leads to improper authorization. It is possible to initiate the attack remotely. The exploit is publicly available and might be used.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-18
Last Modified
2026-07-18
Generated
2026-07-18
AI Q&A
2026-07-18
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
nextlevelbuilder goclaw to 3.13.2 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-266 A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.
CWE-285 The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability affects GoClaw up to version 3.13.2. It involves the improper authorization in the function isSafeBin within the file internal/tools/exec_approval.go. The issue allows authenticated users to bypass human approval for unsafe commands by exploiting how the system checks command safety based only on the command name like 'sort' without considering dangerous flags such as '-o' which can write files.

Detection Guidance

Check GoClaw versions up to 3.13.2 for the vulnerable function isSafeBin in internal/tools/exec_approval.go. Monitor HTTP API calls to /v1/tools/invoke for commands like sort -o or grep -R that bypass approval. Review execApproval logs for unauthorized file operations or bypassed human reviews.

Impact Analysis

An attacker could exploit this to perform unauthorized file writes or reads within the workspace by sending crafted commands through the HTTP API. This bypasses intended safety controls, potentially leading to data loss, unauthorized file modifications, or access to sensitive information. The attack requires authenticated access but can be executed remotely.

Compliance Impact

This vulnerability could lead to unauthorized data access or modification, violating confidentiality and integrity requirements in GDPR and HIPAA. Organizations using affected GoClaw versions may fail compliance audits due to inadequate access controls and audit mechanisms, risking legal penalties and reputational damage.

Mitigation Strategies

Upgrade GoClaw to a version beyond 3.13.2. Disable or restrict access to the /v1/tools/invoke endpoint. Set execApproval.security to strict mode and disable ask-on-miss configurations. Audit and revoke unauthorized file modifications in workspace directories.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-16121. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart