| Título | NextLevelBuilder GoClaw 3.13.0-beta.2 Incorrect Authorization (CWE-863) |
|---|
| Descripción | # Technical Details
An authorization bypass exists in the `[MethodRouter.Handle]` WebSocket RPC authorization path in `internal/gateway/router.go` and `internal/permissions/policy.go` of GoClaw.
The application fails to enforce API-key scopes on subsequent WebSocket RPC requests after `connect`. It derives a coarse `operator` role from scopes such as `operator.approvals`, then authorizes methods using only that role instead of `CanAccessWithScopes(...)`.
# Vulnerable Code
File: `internal/gateway/router.go`, `internal/permissions/policy.go`, `internal/gateway/methods/cron.go`
Method: `MethodRouter.Handle`, API-key `connect` path, `RoleFromScopes`, `MethodScopes`, `cron.create`
Why: During `connect`, the API key scopes are stored but also mapped to `client.role`. Later dispatch checks `pe.CanAccess(client.role, req.Method)` only. Since `operator.approvals` maps to `RoleOperator`, unrelated operator-write methods like `cron.create` are reachable even though `MethodScopes("cron.create")` requires `operator.write` or `operator.admin`.
# Reproduction
1. Start a GoClaw instance and mint a tenant-scoped API key limited to `operator.approvals`.
2. Connect over WebSocket using that key, then invoke `cron.create`.
3. Observe that the request succeeds and a new row is inserted into `cron_jobs`, while a control API key with `operator.read` is denied with `UNAUTHORIZED` and no row is created.
# Impact
- Narrow approval-only API keys can perform unrelated operator-write actions inside the tenant.
- Least-privilege boundaries for automation tokens and service accounts are weakened, allowing unauthorized state mutation such as cron job creation. |
|---|
| Fuente | ⚠️ https://github.com/nextlevelbuilder/goclaw/issues/1188 |
|---|
| Usuario | Eric-y (UID 95889) |
|---|
| Sumisión | 2026-06-04 08:50 (hace 1 mes) |
|---|
| Moderación | 2026-07-04 09:50 (1 month later) |
|---|
| Estado | Aceptado |
|---|
| Entrada de VulDB | 376305 [nextlevelbuilder GoClaw hasta 3.13.0-beta.2 WebSocket RPC router.go MethodRouter.Handle escalada de privilegios] |
|---|
| Puntos | 20 |
|---|