Invia #847501: NextLevelBuilder GoClaw 3.13.0-beta.2 Incorrect Authorization (CWE-863)informazioni

TitoloNextLevelBuilder GoClaw 3.13.0-beta.2 Incorrect Authorization (CWE-863)
Descrizione# Technical Details An authorization bypass exists in the `[MethodRouter.Handle]` WebSocket RPC authorization path in `internal/gateway/router.go` and `internal/permissions/policy.go` of GoClaw. The application fails to enforce API-key scopes on subsequent WebSocket RPC requests after `connect`. It derives a coarse `operator` role from scopes such as `operator.approvals`, then authorizes methods using only that role instead of `CanAccessWithScopes(...)`. # Vulnerable Code File: `internal/gateway/router.go`, `internal/permissions/policy.go`, `internal/gateway/methods/cron.go` Method: `MethodRouter.Handle`, API-key `connect` path, `RoleFromScopes`, `MethodScopes`, `cron.create` Why: During `connect`, the API key scopes are stored but also mapped to `client.role`. Later dispatch checks `pe.CanAccess(client.role, req.Method)` only. Since `operator.approvals` maps to `RoleOperator`, unrelated operator-write methods like `cron.create` are reachable even though `MethodScopes("cron.create")` requires `operator.write` or `operator.admin`. # Reproduction 1. Start a GoClaw instance and mint a tenant-scoped API key limited to `operator.approvals`. 2. Connect over WebSocket using that key, then invoke `cron.create`. 3. Observe that the request succeeds and a new row is inserted into `cron_jobs`, while a control API key with `operator.read` is denied with `UNAUTHORIZED` and no row is created. # Impact - Narrow approval-only API keys can perform unrelated operator-write actions inside the tenant. - Least-privilege boundaries for automation tokens and service accounts are weakened, allowing unauthorized state mutation such as cron job creation.
Fonte⚠️ https://github.com/nextlevelbuilder/goclaw/issues/1188
Utente
 Eric-y (UID 95889)
Sottomissione04/06/2026 08:50 (1 mese fa)
Moderazione04/07/2026 09:50 (1 month later)
StatoAccettato
Voce VulDB376305 [nextlevelbuilder GoClaw fino a 3.13.0-beta.2 WebSocket RPC router.go MethodRouter.Handle escalationi di privilegi]
Punti20

Might our Artificial Intelligence support you?

Check our Alexa App!