Description
A flaw has been found in nextlevelbuilder GoClaw up to 3.11.3. The impacted element is the function handleSave of the file internal/http/tts_config.go of the component RoleAdmin Gateway. This manipulation causes improper privilege management. Remote exploitation of the attack is possible. The exploit has been published and may be used. The project tagged the reported issue as bug.
Published: 2026-06-01
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw resides in GoClaw's RoleAdmin Gateway component, specifically in the handleSave function of tts_config.go, which fails to enforce proper privilege checks on configuration changes. This allows an authenticated user to alter privileged settings and elevate privileges beyond intended boundaries. The weakness corresponds to CWE-266 (Improper Privilege Management) and CWE-269 (Improper Privilege Escalation).

Affected Systems

Affected vendor: nextlevelbuilder GoClaw up to and including version 3.11.3. The vulnerability is triggered by interacting with the RoleAdmin Gateway module that handles configuration saving. No other products or versions are currently listed as affected.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity. EPSS is not available, but the vulnerability has an openly published exploit and remote exploitation is feasible. The attack likely involves sending crafted HTTP requests to the RoleAdmin Gateway endpoint to trigger the handleSave function without proper privilege validation, enabling an attacker to gain elevated permissions or modify system configuration. The vulnerability is not listed in CISA KEV.

Generated by OpenCVE AI on June 1, 2026 at 05:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade GoClaw to version 3.11.4 or later where the issue has been fixed.
  • Configure the RoleAdmin Gateway to require authentication and enforce role‑based access controls for configuration changes.
  • Restrict network access to the RoleAdmin Gateway endpoint to internal trusted hosts or IP ranges to limit the surface for remote exploitation.

Generated by OpenCVE AI on June 1, 2026 at 05:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 01 Jun 2026 04:00:00 +0000

Type Values Removed Values Added
Description A flaw has been found in nextlevelbuilder GoClaw up to 3.11.3. The impacted element is the function handleSave of the file internal/http/tts_config.go of the component RoleAdmin Gateway. This manipulation causes improper privilege management. Remote exploitation of the attack is possible. The exploit has been published and may be used. The project tagged the reported issue as bug.
Title nextlevelbuilder GoClaw RoleAdmin Gateway tts_config.go handleSave privileges management
First Time appeared Nextlevelbuilder
Nextlevelbuilder goclaw
Weaknesses CWE-266
CWE-269
CPEs cpe:2.3:a:nextlevelbuilder:goclaw:*:*:*:*:*:*:*:*
Vendors & Products Nextlevelbuilder
Nextlevelbuilder goclaw
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Nextlevelbuilder Goclaw
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-06-01T02:45:09.177Z

Reserved: 2026-05-31T07:40:58.866Z

Link: CVE-2026-10217

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-01T04:16:20.680

Modified: 2026-06-01T04:16:20.680

Link: CVE-2026-10217

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-01T05:30:21Z

Weaknesses