Description
A weakness has been identified in nextlevelbuilder GoClaw up to 3.11.3. The impacted element is the function TeamTasksTool.executeComplete of the file internal/tools/team_tasks_lifecycle.go of the component Team Task Completion Handler. Executing a manipulation can lead to missing authorization. The attack may be launched remotely. The exploit has been made available to the public and could be used for attacks. The project tagged the reported issue as bug.
Published: 2026-06-02
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in the TeamTasksTool.executeComplete function of the GoClaw Task Task Completion Handler allows an attacker to skip required authorization checks. When exploited, a remote user can force any team task to be marked completed without possessing the necessary permissions. The vulnerability stems from missing verification of the caller’s privileges before executing the state change, thereby compromising the integrity of task management. Consequently, untrusted users could prematurely finish tasks or alter task outcomes, potentially disrupting workflow and trust in the system.

Affected Systems

The weakness is present in all releases of nextlevelbuilder:GoClaw up to and including version 3.11.3. The affected code resides in internal/tools/team_tasks_lifecycle.go within the Team Task Completion Handler component.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate severity. EPSS data is not available, and the vulnerability is not listed in CISA KEV. The attack vector is remote; public exploits are available, which suggests that an attacker may leverage the flaw through exposed external interfaces. Because the problem involves authorization logic, it can lead to unauthorized privilege increases and data integrity issues. The risk remains significant, especially in environments where the GoClaw instance is exposed to untrusted networks.

Generated by OpenCVE AI on June 3, 2026 at 03:47 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update GoClaw to a patched release (ensure the version is newer than 3.11.3).
  • Enforce role‑based access controls on the task completion endpoint to guarantee only properly authorized users can trigger state changes.
  • Audit task completion logs regularly to detect and investigate any unauthorized changes, and apply remedial action if suspicious activity is found.

Generated by OpenCVE AI on June 3, 2026 at 03:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 03 Jun 2026 02:30:00 +0000

Type Values Removed Values Added
Description A weakness has been identified in nextlevelbuilder GoClaw up to 3.11.3. The impacted element is the function TeamTasksTool.executeComplete of the file internal/tools/team_tasks_lifecycle.go of the component Team Task Completion Handler. Executing a manipulation can lead to missing authorization. The attack may be launched remotely. The exploit has been made available to the public and could be used for attacks. The project tagged the reported issue as bug.
Title nextlevelbuilder GoClaw Team Task Completion team_tasks_lifecycle.go TeamTasksTool.executeComplete authorization
First Time appeared Nextlevelbuilder
Nextlevelbuilder goclaw
Weaknesses CWE-862
CWE-863
CPEs cpe:2.3:a:nextlevelbuilder:goclaw:*:*:*:*:*:*:*:*
Vendors & Products Nextlevelbuilder
Nextlevelbuilder goclaw
References
Metrics cvssV2_0

{'score': 4, 'vector': 'AV:N/AC:L/Au:S/C:N/I:P/A:N/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 4.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Nextlevelbuilder Goclaw
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-06-02T18:30:09.138Z

Reserved: 2026-06-02T13:49:13.400Z

Link: CVE-2026-10616

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-02T20:16:32.410

Modified: 2026-06-02T20:16:32.410

Link: CVE-2026-10616

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-03T04:00:13Z

Weaknesses