| Titre | nextlevelbuilder goclaw <= 3.11.3 Improper Privilege Management (CWE-269) |
|---|
| Description | # Technical Details
A RoleAdmin Gateway Auth Bypass vulnerability exists in the `handleSave` and `handleDelete` methods in `internal/http/tts_config.go` and `internal/http/storage.go` of goclaw.
The application fails to verify the user's actual tenant role (Owner or Admin) by missing the `requireTenantAdmin()` check for TTS configuration and storage endpoints. When a request authenticates via the Web Gateway Token, `resolveAuthWithBearer` explicitly assigns the `RoleAdmin` system permission. As a result, any user with basic read-only ("Viewer") access inside the tenant can overwrite critical TTS or Storage configurations.
# Vulnerable Code
File: internal/http/tts_config.go & internal/http/storage.go
Method: handleSave & handleDelete
Why: The vulnerable methods lack `requireTenantAdmin()` verification, silently applying arbitrary modifications from read-only tenant users to the system TTS settings and storage.
# Reproduction
1. Run the GoClaw API server with `GOCLAW_GATEWAY_TOKEN` enabled (standard Web UI configuration).
2. Ensure you have a `Viewer` (or lower-tier) membership ID within the targeted tenant space.
3. Execute the PoC script to bypass the gateway role and re-configure the TTS settings using a viewer's identity.
# Impact
- System Disruption (DoS): Invalid key input disables agent TTS capabilities.
- Server-Side Request Forgery (SSRF): Arbitrary URLs inputted into the TTS configuration lead to blinded backend network requests.
- Data Deletion / File Traversal: Allows file wiping, overwriting, and untracked file transfers on the hosting volume. |
|---|
| La source | ⚠️ https://github.com/nextlevelbuilder/goclaw/issues/1118 |
|---|
| Utilisateur | Eric-b (UID 96354) |
|---|
| Soumission | 07/05/2026 13:50 (il y a 28 jours) |
|---|
| Modérer | 31/05/2026 09:41 (24 days later) |
|---|
| Statut | Accepté |
|---|
| Entrée VulDB | 367496 [nextlevelbuilder GoClaw jusqu’à 3.11.3 RoleAdmin Gateway tts_config.go handleSave élévation de privilèges] |
|---|
| Points | 20 |
|---|