| Título | nextlevelbuilder goclaw <= 3.11.3 Improper Privilege Management (CWE-269) |
|---|
| Descripción | # Technical Details
A RoleAdmin Gateway Auth Bypass vulnerability exists in the `handleSave` and `handleDelete` methods in `internal/http/tts_config.go` and `internal/http/storage.go` of goclaw.
The application fails to verify the user's actual tenant role (Owner or Admin) by missing the `requireTenantAdmin()` check for TTS configuration and storage endpoints. When a request authenticates via the Web Gateway Token, `resolveAuthWithBearer` explicitly assigns the `RoleAdmin` system permission. As a result, any user with basic read-only ("Viewer") access inside the tenant can overwrite critical TTS or Storage configurations.
# Vulnerable Code
File: internal/http/tts_config.go & internal/http/storage.go
Method: handleSave & handleDelete
Why: The vulnerable methods lack `requireTenantAdmin()` verification, silently applying arbitrary modifications from read-only tenant users to the system TTS settings and storage.
# Reproduction
1. Run the GoClaw API server with `GOCLAW_GATEWAY_TOKEN` enabled (standard Web UI configuration).
2. Ensure you have a `Viewer` (or lower-tier) membership ID within the targeted tenant space.
3. Execute the PoC script to bypass the gateway role and re-configure the TTS settings using a viewer's identity.
# Impact
- System Disruption (DoS): Invalid key input disables agent TTS capabilities.
- Server-Side Request Forgery (SSRF): Arbitrary URLs inputted into the TTS configuration lead to blinded backend network requests.
- Data Deletion / File Traversal: Allows file wiping, overwriting, and untracked file transfers on the hosting volume. |
|---|
| Fuente | ⚠️ https://github.com/nextlevelbuilder/goclaw/issues/1118 |
|---|
| Usuario | Eric-b (UID 96354) |
|---|
| Sumisión | 2026-05-07 13:50 (hace 28 días) |
|---|
| Moderación | 2026-05-31 09:41 (24 days later) |
|---|
| Estado | Aceptado |
|---|
| Entrada de VulDB | 367496 [nextlevelbuilder GoClaw hasta 3.11.3 RoleAdmin Gateway tts_config.go handleSave escalada de privilegios] |
|---|
| Puntos | 20 |
|---|