| Título | mosaxiv clawlet 0.2.10 Missing Authorization (CWE-862) |
|---|
| Descripción | # Technical Details
A Cross-Session Authorization Bypass exists in the `cron` chat tool in `tools/tool_cron.go` of clawlet.
The application stores per-session ownership metadata (`Channel` and `To` fields) when a user creates a scheduled cron job, but fails to enforce that ownership on subsequent `list` and `remove` operations. The `list` action returns all enabled jobs from the shared store, and `remove` deletes by raw job ID without verifying caller/session ownership.
# Vulnerable Code
File: tools/tool_cron.go
Method: cron tool list and remove handlers
Why: The `list` case calls `r.Cron.List(false)` returning every enabled job regardless of session. The `remove` case forwards any `job_id` directly to `r.Cron.Remove(...)`. The lower-layer `cron.Service.Remove(id)` deletes by raw ID with no caller context, making the tool-layer authorization omission directly exploitable across chat sessions.
# Reproduction
1. Victim session creates a cron job through the normal chat tool path (stored with victim's channel/chat_id metadata).
2. Attacker session invokes `cron list` — receives the victim job name and ID because no caller scoping is applied.
3. Attacker invokes `cron remove` with the leaked `job_id`.
4. Independent file-system observation confirms the victim job is deleted from the shared cron store.
# Impact
- Enumerate scheduled jobs created by another chat session
- Learn victim job names, identifiers, and schedule types
- Delete victim jobs from the shared cron store
- Disrupt reminders, workflow triggers, and scheduled agent actions for other users
- Unauthorized cross-tenant interference and denial of scheduled automation |
|---|
| Fuente | ⚠️ https://github.com/mosaxiv/clawlet/issues/17 |
|---|
| Usuario | Erichen (UID 98955) |
|---|
| Sumisión | 2026-06-12 10:39 (hace 1 mes) |
|---|
| Moderación | 2026-07-17 07:47 (1 month later) |
|---|
| Estado | Aceptado |
|---|
| Entrada de VulDB | 379759 [mosaxiv clawlet hasta 0.2.10 cron Chat Tool tools/tool_cron.go list/remove escalada de privilegios] |
|---|
| Puntos | 20 |
|---|