VYPR
← All advisories
Medium severity6.3NVD Advisory· Published Jun 1, 2026

CVE-2026-10217

CVE-2026-10217

Description

GoClaw up to 3.11.3 has an improper privilege management in the RoleAdmin Gateway allowing a Viewer to modify admin-only TTS and storage configurations.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

GoClaw up to 3.11.3 has an improper privilege management in the RoleAdmin Gateway allowing a Viewer to modify admin-only TTS and storage configurations.

Vulnerability

The vulnerability resides in the handleSave function of internal/http/tts_config.go in GoClaw up to version 3.11.3. The requireAuth middleware assigns RoleAdmin system permission to any authenticated user with a valid tenant membership when using the Web Gateway Token, but the handler fails to call requireTenantAdmin() to verify the user's actual tenant role. This missing check allows a user with only Viewer privileges to perform administrative actions on TTS and storage configurations [2].

Exploitation

An attacker needs network access to a GoClaw API server with GOCLAW_GATEWAY_TOKEN enabled and a valid Viewer (or lower-tier) membership ID within the target tenant. The attacker authenticates via the frontend web gateway, which grants RoleAdmin due to the flawed middleware, then sends crafted HTTP requests to the TTS configuration endpoints (e.g., handleSave) to modify, delete, or upload settings without being blocked [2].

Impact

Successful exploitation allows the attacker to alter administrative TTS and storage configurations, potentially disrupting service, manipulating data, or gaining further unauthorized access within the tenant. The attacker operates with the privileges of an Owner or Admin despite having only Viewer access [2].

Mitigation

As of the advisory date, no fixed version has been released; the project has tagged the issue as a bug [2]. Users should monitor the repository for patches. As a workaround, disable GOCLAW_GATEWAY_TOKEN or implement additional access controls at the network level until a fix is available.

References
  1. [Security] RoleAdmin Gateway Auth Bypass — Viewer Modifies Admin-Only TTS and Storage Config

AI Insight generated on Jun 1, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"Missing requireTenantAdmin() call in TTS and storage handlers allows gateway-authenticated viewers to bypass tenant-level role checks."

Attack vector

An attacker with a valid Viewer (read-only) membership in the target tenant authenticates through the Web Gateway Token. The `resolveAuthWithBearer` middleware assigns `RoleAdmin` system permission to any valid tenant member, and because the TTS and storage handlers never call `requireTenantAdmin()`, the attacker can send a POST to `/v1/tts/config` or a DELETE to storage endpoints to modify or delete admin-only configuration. The PoC demonstrates changing the TTS `api_base` to an attacker-controlled URL, enabling SSRF. [ref_id=2]

Affected code

The vulnerability resides in `internal/http/tts_config.go` (function `handleSave`) and `internal/http/storage.go` (function `handleDelete`). These handlers lack a `requireTenantAdmin()` call, so they do not verify the caller's actual tenant-level role (Owner/Admin) before processing requests.

What the fix does

The advisory states that the missing defense is a call to `requireTenantAdmin()` inside the handler to verify the user's actual tenant role (Owner or Admin). This same fix was already applied to skills and builtin_tools endpoints in past patches (e.g., commit a9aedc84) but was missed for TTS and storage handlers. Adding the tenant-role check ensures that even though the gateway token grants `RoleAdmin` system permission, the handler still enforces the tenant-level role before allowing configuration changes. [ref_id=2]

Preconditions

  • configGoClaw API server must be running with GOCLAW_GATEWAY_TOKEN enabled (standard Web UI configuration)
  • authAttacker must possess a valid Viewer (or lower-tier) membership ID within the targeted tenant space
  • networkAttacker must be able to send HTTP requests to the gateway endpoints

Reproduction

The advisory provides a complete PoC: download the vulnerable docker-compose.yml, run `docker compose up -d`, download `poc_exploit.py`, and execute `python3 poc_exploit.py`. The script sends a POST to `/v1/tts/config` with a Viewer's token and receives a 200 response, changing the `api_base` to an attacker-controlled URL. A control script (`control-non_admin_blocked.py`) confirms that the same request with a non-gateway token is correctly blocked with HTTP 401. [ref_id=2]

Generated on Jun 1, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.