| عنوان | nextlevelbuilder goclaw <= 3.11.3 Improper Privilege Management (CWE-269) |
|---|
| الوصف | # Technical Details
A RoleAdmin Gateway Auth Bypass vulnerability exists in the `handleSave` and `handleDelete` methods in `internal/http/tts_config.go` and `internal/http/storage.go` of goclaw.
The application fails to verify the user's actual tenant role (Owner or Admin) by missing the `requireTenantAdmin()` check for TTS configuration and storage endpoints. When a request authenticates via the Web Gateway Token, `resolveAuthWithBearer` explicitly assigns the `RoleAdmin` system permission. As a result, any user with basic read-only ("Viewer") access inside the tenant can overwrite critical TTS or Storage configurations.
# Vulnerable Code
File: internal/http/tts_config.go & internal/http/storage.go
Method: handleSave & handleDelete
Why: The vulnerable methods lack `requireTenantAdmin()` verification, silently applying arbitrary modifications from read-only tenant users to the system TTS settings and storage.
# Reproduction
1. Run the GoClaw API server with `GOCLAW_GATEWAY_TOKEN` enabled (standard Web UI configuration).
2. Ensure you have a `Viewer` (or lower-tier) membership ID within the targeted tenant space.
3. Execute the PoC script to bypass the gateway role and re-configure the TTS settings using a viewer's identity.
# Impact
- System Disruption (DoS): Invalid key input disables agent TTS capabilities.
- Server-Side Request Forgery (SSRF): Arbitrary URLs inputted into the TTS configuration lead to blinded backend network requests.
- Data Deletion / File Traversal: Allows file wiping, overwriting, and untracked file transfers on the hosting volume. |
|---|
| المصدر | ⚠️ https://github.com/nextlevelbuilder/goclaw/issues/1118 |
|---|
| المستخدم | Eric-b (UID 96354) |
|---|
| ارسال | 07/05/2026 01:50 PM (28 أيام منذ) |
|---|
| الاعتدال | 31/05/2026 09:41 AM (24 days later) |
|---|
| الحالة | تمت الموافقة |
|---|
| إدخال VulDB | 367496 [nextlevelbuilder GoClaw حتى 3.11.3 RoleAdmin Gateway tts_config.go handleSave تجاوز الصلاحيات] |
|---|
| النقاط | 20 |
|---|