CVE-2026-16123
Received Received - Intake

Missing Authorization in GoClaw Invoke Endpoint

Vulnerability report for CVE-2026-16123, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-18

Last updated on: 2026-07-18

Assigner: VulDB

Description

A weakness has been identified in nextlevelbuilder GoClaw up to 3.13.2. Affected by this issue is the function ToolsInvokeHandler.ServeHTTP of the file internal/http/tools_invoke.go of the component Invoke Endpoint. This manipulation causes missing authorization. The attack can be initiated remotely. The exploit has been made available to the public and could be used for attacks.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-18
Last Modified
2026-07-18
Generated
2026-07-18
AI Q&A
2026-07-18
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
nextlevelbuilder goclaw to 3.13.2 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-16123 is a cross-agent authorization bypass in GoClaw software versions up to 3.13.2. The flaw allows an authenticated user with limited privileges to create cron jobs targeting another user's private agent without proper authorization checks. The issue occurs in the /v1/tools/invoke endpoint where the agentId parameter is accepted without verifying access permissions. This stored unauthorized binding later executes under the foreign agent's configuration.

Detection Guidance

To detect this vulnerability, check GoClaw logs for unauthorized cron job creation attempts targeting foreign agents. Look for HTTP requests to the /v1/tools/invoke endpoint with agentId parameters set to values not owned by the requesting user. Monitor database entries in the cron_jobs table for mismatches between user_id and agent_id fields.

Impact Analysis

This vulnerability allows lower-privileged users to compromise agent ownership boundaries and execute scheduled tasks under another user's agent configuration. Attackers could plant cron jobs that run with elevated privileges or access restricted resources. The public exploit availability increases the risk of real-world attacks. The impact includes unauthorized access to other users' agents and potential data breaches.

Compliance Impact

This vulnerability could lead to unauthorized access to sensitive data, violating GDPR's data protection requirements and HIPAA's security rules for protected health information. The authorization bypass undermines access control mechanisms required by these regulations. Organizations using affected GoClaw versions may face compliance violations, potential fines, and increased audit scrutiny due to inadequate security controls.

Mitigation Strategies

Immediately upgrade GoClaw to version 3.13.3 or later which patches the authorization bypass. If upgrading is not possible, restrict access to the /v1/tools/invoke endpoint and implement strict input validation for agentId parameters. Review existing cron jobs for unauthorized agent bindings and revoke any suspicious entries.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-16123. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart