Description
A security vulnerability has been detected in nextlevelbuilder GoClaw up to 3.11.3. This affects the function resolveAuth of the file internal/http/auth.go of the component Webhook Verification Handler. The manipulation leads to missing authentication. Remote exploitation of the attack is possible. The exploit has been disclosed publicly and may be used. The project tagged the reported issue as bug.
Published: 2026-06-02
Score: 6.9 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability originates from a missing authentication check in the resolveAuth function of the Webhook Verification Handler. This omission allows an attacker to submit requests to the webhook endpoint without providing valid credentials. As a result, unauthorized callers could trigger the handler's logic, potentially leading to unintended data exposure or manipulation. The flaw is classified as an authentication failure (CWE‑287) and missing authentication for a critical function (CWE‑306). Remote exploitation is feasible because the vulnerable code is exposed over a network interface.

Affected Systems

Nextlevelbuilder GoClaw, version 3.11.3 and earlier, is affected. The vulnerability resides in the internal/http/auth.go component used by the webhook verification service.

Risk and Exploitability

The CVSS score of 6.9 indicates a moderate severity, and the EPSS score is currently unavailable, but the lack of publicly available fix increases concern. The exploit can be performed remotely by sending crafted requests to the webhook endpoint, and because the vulnerability bypasses authentication, it may allow attackers to perform actions intended only for authorized users. The vulnerability is not listed in the CISA KEV catalog, so no publicly known exploitation activity is documented, though the issue has been disclosed on public channels.

Generated by OpenCVE AI on June 3, 2026 at 03:46 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest GoClaw release (3.11.4 or newer) where the resolveAuth function enforces proper authentication.
  • Restrict the webhook verification endpoint to trusted IP ranges or internal networks and add an additional secret or HMAC verification if not already in place.
  • Conduct a security review of webhook handling logic to confirm that authentication checks are present before processing any request and monitor logs for suspicious unauthenticated activity.

Generated by OpenCVE AI on June 3, 2026 at 03:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 03 Jun 2026 02:30:00 +0000

Type Values Removed Values Added
Description A security vulnerability has been detected in nextlevelbuilder GoClaw up to 3.11.3. This affects the function resolveAuth of the file internal/http/auth.go of the component Webhook Verification Handler. The manipulation leads to missing authentication. Remote exploitation of the attack is possible. The exploit has been disclosed publicly and may be used. The project tagged the reported issue as bug.
Title nextlevelbuilder GoClaw Webhook Verification auth.go resolveAuth missing authentication
First Time appeared Nextlevelbuilder
Nextlevelbuilder goclaw
Weaknesses CWE-287
CWE-306
CPEs cpe:2.3:a:nextlevelbuilder:goclaw:*:*:*:*:*:*:*:*
Vendors & Products Nextlevelbuilder
Nextlevelbuilder goclaw
References
Metrics cvssV2_0

{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 7.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Nextlevelbuilder Goclaw
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-06-02T19:00:12.000Z

Reserved: 2026-06-02T13:49:15.773Z

Link: CVE-2026-10617

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-02T20:16:32.640

Modified: 2026-06-02T20:16:32.640

Link: CVE-2026-10617

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-03T04:00:13Z

Weaknesses