Description
A security vulnerability has been detected in nextlevelbuilder GoClaw up to 3.11.3. Affected by this issue is the function Import of the file internal/http/tts_config.go of the component TTS Configuration Endpoint. The manipulation leads to server-side request forgery. It is possible to initiate the attack remotely. The exploit has been disclosed publicly and may be used. The project tagged the reported issue as bug.
Published: 2026-06-02
Score: 5.1 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in the Import function of the TTS Configuration Endpoint in nextlevelbuilder GoClaw. An attacker can supply a crafted request that causes the server to fetch arbitrary URLs. This elevation of a server‑side request forgery (SSRF) can expose internal hosts or services, leak sensitive data, and potentially allow further exploitation of the upstream systems. The flaw is detectable through the Import endpoint and can be triggered remotely without authentication.

Affected Systems

The issue affects nextlevelbuilder GoClaw versions up to 3.11.3, inclusive. All users running these releases without subsequent patches are potentially exposed when using the vulnerable TTS Configuration Endpoint.

Risk and Exploitability

The CVSS score of 5.1 indicates a moderate risk. The lack of an EPSS score and absence from the CISA KEV list suggest limited public exploitation activity to date. However, attackers can reach the vulnerable endpoint over the network, and the SSRF flaw is publicly documented, meaning that a determined adversary could leverage existing proof‑of‑concept code to trigger the attack and gain access to internal resources.

Generated by OpenCVE AI on June 2, 2026 at 04:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade GoClaw to version 3.11.4 or later to address the SSRF flaw.
  • If an upgrade is not immediately possible, restrict inbound traffic to the TTS configuration endpoint or remove the import functionality from exposed interfaces.
  • Apply network segmentation and firewall rules to block or limit outbound requests originating from the GoClaw service, mitigating potential internal asset compromise.

Generated by OpenCVE AI on June 2, 2026 at 04:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 02 Jun 2026 03:45:00 +0000

Type Values Removed Values Added
Description A security vulnerability has been detected in nextlevelbuilder GoClaw up to 3.11.3. Affected by this issue is the function Import of the file internal/http/tts_config.go of the component TTS Configuration Endpoint. The manipulation leads to server-side request forgery. It is possible to initiate the attack remotely. The exploit has been disclosed publicly and may be used. The project tagged the reported issue as bug.
Title nextlevelbuilder GoClaw TTS Configuration Endpoint tts_config.go import server-side request forgery
First Time appeared Nextlevelbuilder
Nextlevelbuilder goclaw
Weaknesses CWE-918
CPEs cpe:2.3:a:nextlevelbuilder:goclaw:*:*:*:*:*:*:*:*
Vendors & Products Nextlevelbuilder
Nextlevelbuilder goclaw
References
Metrics cvssV2_0

{'score': 5.8, 'vector': 'AV:N/AC:L/Au:M/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 4.7, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 4.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Nextlevelbuilder Goclaw
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-06-02T02:45:08.811Z

Reserved: 2026-06-01T18:17:50.467Z

Link: CVE-2026-10583

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-02T04:17:03.220

Modified: 2026-06-02T04:17:03.220

Link: CVE-2026-10583

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-02T04:30:36Z

Weaknesses