| Titel | mosaxiv clawlet 0.2.10 Missing Authorization (CWE-862) |
|---|
| Beschreibung | # Technical Details
A Cross-Session Authorization Bypass exists in the `cron` chat tool in `tools/tool_cron.go` of clawlet.
The application stores per-session ownership metadata (`Channel` and `To` fields) when a user creates a scheduled cron job, but fails to enforce that ownership on subsequent `list` and `remove` operations. The `list` action returns all enabled jobs from the shared store, and `remove` deletes by raw job ID without verifying caller/session ownership.
# Vulnerable Code
File: tools/tool_cron.go
Method: cron tool list and remove handlers
Why: The `list` case calls `r.Cron.List(false)` returning every enabled job regardless of session. The `remove` case forwards any `job_id` directly to `r.Cron.Remove(...)`. The lower-layer `cron.Service.Remove(id)` deletes by raw ID with no caller context, making the tool-layer authorization omission directly exploitable across chat sessions.
# Reproduction
1. Victim session creates a cron job through the normal chat tool path (stored with victim's channel/chat_id metadata).
2. Attacker session invokes `cron list` — receives the victim job name and ID because no caller scoping is applied.
3. Attacker invokes `cron remove` with the leaked `job_id`.
4. Independent file-system observation confirms the victim job is deleted from the shared cron store.
# Impact
- Enumerate scheduled jobs created by another chat session
- Learn victim job names, identifiers, and schedule types
- Delete victim jobs from the shared cron store
- Disrupt reminders, workflow triggers, and scheduled agent actions for other users
- Unauthorized cross-tenant interference and denial of scheduled automation |
|---|
| Quelle | ⚠️ https://github.com/mosaxiv/clawlet/issues/17 |
|---|
| Benutzer | Erichen (UID 98955) |
|---|
| Einreichung | 12.06.2026 10:39 (vor 1 Monat) |
|---|
| Moderieren | 17.07.2026 07:47 (1 month later) |
|---|
| Status | Akzeptiert |
|---|
| VulDB Eintrag | 379759 [mosaxiv clawlet bis 0.2.10 cron Chat Tool tools/tool_cron.go list/remove erweiterte Rechte] |
|---|
| Punkte | 20 |
|---|