CVE-2026-16124
Received Received - Intake

Server-Side Request Forgery in GoClaw

Vulnerability report for CVE-2026-16124, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-18

Last updated on: 2026-07-18

Assigner: VulDB

Description

A security vulnerability has been detected in nextlevelbuilder GoClaw up to 3.15.0-beta.32. This affects the function CheckSSRF/isPrivateIP of the file internal/tools/web_shared.go of the component web_fetch. Such manipulation leads to server-side request forgery. The attack can be launched remotely. The exploit has been disclosed publicly and may be used. Upgrading to version 3.15.0-beta.33 is able to mitigate this issue. The name of the patch is 12a0168271827650ddb0026d6277fbadf3dcf3ea. Upgrading the affected component is recommended.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-18
Last Modified
2026-07-18
Generated
2026-07-18
AI Q&A
2026-07-18
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
nextlevelbuilder goclaw to 3.15.0-beta.0 (inc)
nextlevelbuilder goclaw to 3.13.3-beta.3 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This is a Server-Side Request Forgery (SSRF) vulnerability in GoClaw up to version 3.15.0-beta.32. It affects the CheckSSRF/isPrivateIP function in the web_fetch component. The flaw allows bypassing SSRF protections by exploiting special-use IPv4 ranges like 198.18.0/15 and 240.0.0/4, enabling unauthorized outbound requests to restricted destinations.

Detection Guidance

To detect this vulnerability, check if your GoClaw instance is running a version up to 3.15.0-beta.32. Inspect the SSRF protection mechanism for missing IP range blocks (198.18.0.0/15 and 240.0.0.0/4). Use network monitoring tools to identify outbound requests to these ranges.

Impact Analysis

An attacker with RoleOperator permissions could force the GoClaw server to make requests to internal services or special IP ranges. This may allow probing network reachability, reading responses from internal services, or attacking downstream systems reachable from the GoClaw host. The impact includes potential data exfiltration and unauthorized access.

Compliance Impact

This SSRF vulnerability could potentially impact compliance with GDPR and HIPAA by enabling unauthorized data exfiltration or network probing. GDPR requires protecting personal data from unauthorized access, while HIPAA mandates safeguarding protected health information. The vulnerability allows bypassing SSRF protections to access internal services, which may expose sensitive data or violate data isolation requirements.

Mitigation Strategies

Upgrade GoClaw to version 3.15.0-beta.33 or later. Apply the patch commit 12a0168271827650ddb0026d6277fbadf3dcf3ea. Ensure SSRF protection blocks the IP ranges 198.18.0.0/15 and 240.0.0.0/4.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-16124. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart