Description
A flaw has been found in nextlevelbuilder GoClaw and GoClaw Lite up to 3.8.5. This affects an unknown function of the component RPC Handler. This manipulation causes improper authorization. The attack may be initiated remotely. The exploit has been published and may be used. Upgrading to version 3.9.0 mitigates this issue. Patch name: 406022e79f4a18b3070a446712080571eff11e30. You should upgrade the affected component.
Published: 2026-04-30
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in the RPC Handler of nextlevelbuilder GoClaw and GoClaw Lite allows an attacker to manipulate an unknown function, leading to improper authorization. This weakness enables the bypass of access controls, potentially allowing remote actors to perform actions they should not be permitted to perform, which could compromise data confidentiality and system integrity.

Affected Systems

The vulnerability affects nextlevelbuilder GoClaw and GoClaw Lite releases up to and including version 3.8.5. Both vendor products listed under nextlevelbuilder:GoClaw and nextlevelbuilder:GoClaw Lite are impacted; the issue is fixed in version 3.9.0.

Risk and Exploitability

The CVSS score of 6.9 indicates a moderate severity, and the description notes that the exploit is remote and published. The EPSS score is not available and the vulnerability is not listed in KEV, but the existence of a public exploit suggests a realistic threat of unauthorized access.

Generated by OpenCVE AI on May 2, 2026 at 00:12 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade nextlevelbuilder GoClaw and GoClaw Lite to version 3.9.0 or later, which includes the patch identified by 406022e79f4a18b3070a446712080571eff11e30.
  • If upgrading via vendor release is not possible, directly apply the patch changes from commit 406022e79f4a18b3070a446712080571eff11e30 to the source code to fix the authorization logic.
  • Monitor RPC traffic for abnormal activity or repeated unauthorized attempts, and apply network segmentation or firewall rules to limit exposure of RPC endpoints to untrusted networks.

Generated by OpenCVE AI on May 2, 2026 at 00:12 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 01 May 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 01 May 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Nextlevelbuilder
Nextlevelbuilder goclaw
Nextlevelbuilder goclaw Lite
Vendors & Products Nextlevelbuilder
Nextlevelbuilder goclaw
Nextlevelbuilder goclaw Lite

Thu, 30 Apr 2026 22:30:00 +0000

Type Values Removed Values Added
Description A flaw has been found in nextlevelbuilder GoClaw and GoClaw Lite up to 3.8.5. This affects an unknown function of the component RPC Handler. This manipulation causes improper authorization. The attack may be initiated remotely. The exploit has been published and may be used. Upgrading to version 3.9.0 mitigates this issue. Patch name: 406022e79f4a18b3070a446712080571eff11e30. You should upgrade the affected component.
Title nextlevelbuilder GoClaw/GoClaw Lite RPC improper authorization
Weaknesses CWE-266
CWE-285
References
Metrics cvssV2_0

{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:OF/RC:C'}

cvssV3_0

{'score': 7.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C'}

cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Nextlevelbuilder Goclaw Goclaw Lite
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-05-01T21:24:33.058Z

Reserved: 2026-04-30T14:51:24.116Z

Link: CVE-2026-7505

cve-icon Vulnrichment

Updated: 2026-05-01T21:24:29.151Z

cve-icon NVD

Status : Deferred

Published: 2026-04-30T23:16:20.740

Modified: 2026-05-01T15:26:24.553

Link: CVE-2026-7505

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T00:15:06Z

Weaknesses