| 제목 | nextlevelbuilder goclaw <= 3.11.3 Improper Privilege Management (CWE-269) |
|---|
| 설명 | # Technical Details
A RoleAdmin Gateway Auth Bypass vulnerability exists in the `handleSave` and `handleDelete` methods in `internal/http/tts_config.go` and `internal/http/storage.go` of goclaw.
The application fails to verify the user's actual tenant role (Owner or Admin) by missing the `requireTenantAdmin()` check for TTS configuration and storage endpoints. When a request authenticates via the Web Gateway Token, `resolveAuthWithBearer` explicitly assigns the `RoleAdmin` system permission. As a result, any user with basic read-only ("Viewer") access inside the tenant can overwrite critical TTS or Storage configurations.
# Vulnerable Code
File: internal/http/tts_config.go & internal/http/storage.go
Method: handleSave & handleDelete
Why: The vulnerable methods lack `requireTenantAdmin()` verification, silently applying arbitrary modifications from read-only tenant users to the system TTS settings and storage.
# Reproduction
1. Run the GoClaw API server with `GOCLAW_GATEWAY_TOKEN` enabled (standard Web UI configuration).
2. Ensure you have a `Viewer` (or lower-tier) membership ID within the targeted tenant space.
3. Execute the PoC script to bypass the gateway role and re-configure the TTS settings using a viewer's identity.
# Impact
- System Disruption (DoS): Invalid key input disables agent TTS capabilities.
- Server-Side Request Forgery (SSRF): Arbitrary URLs inputted into the TTS configuration lead to blinded backend network requests.
- Data Deletion / File Traversal: Allows file wiping, overwriting, and untracked file transfers on the hosting volume. |
|---|
| 원천 | ⚠️ https://github.com/nextlevelbuilder/goclaw/issues/1118 |
|---|
| 사용자 | Eric-b (UID 96354) |
|---|
| 제출 | 2026. 05. 07. PM 01:50 (28 날 ago) |
|---|
| 모더레이션 | 2026. 05. 31. AM 09:41 (24 days later) |
|---|
| 상태 | 수락 |
|---|
| VulDB 항목 | 367496 [nextlevelbuilder GoClaw 까지 3.11.3 RoleAdmin Gateway tts_config.go handleSave 권한 상승] |
|---|
| 포인트들 | 20 |
|---|