CVE-2026-10616
Description
GoClaw up to 3.11.3 has an authorization bypass in Team Task Completion Handler, allowing any team member to complete another's task.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
GoClaw up to 3.11.3 has an authorization bypass in Team Task Completion Handler, allowing any team member to complete another's task.
Vulnerability
A weakness exists in nextlevelbuilder GoClaw up to version 3.11.3 within the internal/tools/team_tasks_lifecycle.go file, specifically in the TeamTasksTool.executeComplete function of the Team Task Completion Handler component. This vulnerability allows for missing authorization checks.
Exploitation
An attacker, who must be an authenticated team member, can exploit this by knowing a teammate's task ID. The vulnerable flow is reachable via a POST /v1/tools/invoke request with team_tasks(action=complete). The executeComplete() function attempts to claim a task but ignores failures. Subsequently, the CompleteTask() function checks only the task ID, status, team ID, and tenant ID, without verifying if the caller is the task owner or holds the lock, enabling any authenticated team member to complete another's in-progress task [1].
Impact
Successful exploitation allows an attacker to complete another team member's in-progress task. Additionally, the attacker can replace the stored task result with their own content, potentially corrupting downstream agent workflows, reviews, and audit trails. This compromise is limited to actions within the same team [1].
Mitigation
This vulnerability has been fixed in GoClaw version 3.11.4. Users are advised to upgrade to the latest version. No workarounds are specified in the available references [2].
- [Security] GoClaw team task completion authorization bypass allows a team member to complete another member's in-progress task
- GitHub - nextlevelbuilder/goclaw: GoClaw - GoClaw is OpenClaw rebuilt in Go — with multi-tenant isolation, 5-layer security, and native concurrency. Deploy AI agent teams at scale without compromising on safety.
AI Insight generated on Jun 2, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: <=3.11.3
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The Team Task Completion Handler improperly authorizes task completion requests, allowing any authenticated team member to complete another member's task."
Attack vector
An attacker, who is a member of the same team as the victim, can exploit this vulnerability by first obtaining the victim's task ID. This task ID can be retrieved through the team-wide task listing functionality exposed by the `executeList()` function [ref_id=1]. The attacker then sends a POST request to the `/v1/tools/invoke` endpoint with the `team_tasks` tool and the `action=complete`, including the victim's task ID and attacker-controlled result content [ref_id=1]. This bypasses the intended authorization checks, allowing the attacker to complete the task.
Affected code
The vulnerability lies within the `executeComplete()` function in `internal/tools/team_tasks_lifecycle.go`. Specifically, the code calls `t.manager.Store().ClaimTask()` but ignores any errors, and then proceeds to call `t.manager.Store().CompleteTask()` without sufficient authorization checks [ref_id=1]. The `CompleteTask()` method in both SQLite and PostgreSQL backends updates tasks based on `id`, `status`, `team_id`, and `tenant_id`, but omits verification of the task owner or lock holder [ref_id=1].
What the fix does
The advisory does not specify a patch or provide details on remediation. However, it indicates that the issue is caused by two logic flaws: `executeComplete()` ignoring the failure of `ClaimTask()` and both storage backends completing tasks without verifying the caller's ownership or lock status [ref_id=1]. A proper fix would involve ensuring that `CompleteTask()` verifies that the caller is the owner of the task or holds the lock before proceeding.
Preconditions
- authThe attacker must be an authenticated member of the same team as the victim.
- inputThe attacker needs to know the victim's task ID.
Reproduction
The reference write-up provides detailed reproduction steps, including Python scripts for seeding the database and executing the exploit, as well as verification steps using `curl` and `sqlite3` [ref_id=1].
Generated on Jun 2, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5News mentions
0No linked articles in our index yet.