CVE-2026-10217: GoClaw Privilege Escalation in RoleAdmin Gateway (CVSS 6.3)
A privilege management flaw exists in nextlevelbuilder GoClaw versions up to 3.11.3 that allows authenticated users to escalate their access or perform unauthorized actions. The vulnerability affects the RoleAdmin Gateway component, specifically in how it handles configuration saves. An attacker with valid credentials can exploit this remotely to gain elevated permissions or manipulate role-based access controls, potentially affecting data confidentiality, integrity, and availability.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 6.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
- Weaknesses (CWE)
- CWE-266, CWE-269
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-01 / 2026-06-17
NVD description (verbatim)
A flaw has been found in nextlevelbuilder GoClaw up to 3.11.3. The impacted element is the function handleSave of the file internal/http/tts_config.go of the component RoleAdmin Gateway. This manipulation causes improper privilege management. Remote exploitation of the attack is possible. The exploit has been published and may be used. The project tagged the reported issue as bug.
6 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-10217 is a privilege management vulnerability in the handleSave function within internal/http/tts_config.go of nextlevelbuilder GoClaw's RoleAdmin Gateway. The flaw stems from improper validation of privilege boundaries when processing configuration updates, allowing an authenticated attacker to bypass intended access controls. The vulnerability is triggered during HTTP-based configuration operations and does not require user interaction or special system conditions to execute. Related weaknesses include improper authorization (CWE-266) and improper access control implementation (CWE-269).
Business impact
If exploited, this vulnerability could allow internal users or compromised accounts to perform administrative actions they are not entitled to execute. The impact extends across confidentiality, integrity, and availability—attackers may read sensitive configuration data, modify role assignments or system settings, or disrupt service availability. For organizations relying on GoClaw for role-based access enforcement, this represents a direct threat to access control boundaries and audit trail reliability.
Affected systems
nextlevelbuilder GoClaw versions up to and including 3.11.3 are affected. Organizations running GoClaw in production should verify their installed version and compare against the vendor's patched release. The RoleAdmin Gateway component is specifically involved, suggesting deployments using role management features are most exposed.
Exploitability
The attack vector is network-based and requires only a valid user account—no elevated privileges are needed to trigger the flaw. Exploitation is relatively straightforward once an attacker has credentials, as the vulnerability is present in normal configuration-handling operations. A published exploit exists and is publicly available, increasing the likelihood of opportunistic misuse. The CVSS score of 6.3 (MEDIUM) reflects the requirement for authenticated access but acknowledges the ease of exploitation and multi-faceted impact.
Remediation
Organizations must update nextlevelbuilder GoClaw to a patched version beyond 3.11.3. Consult the vendor's official security advisory to identify the exact release that resolves this issue. Patch testing should prioritize role management and gateway functionality to ensure proper privilege enforcement post-update. During the patching window, restrict administrative configuration operations to trusted staff and implement audit logging of all privilege-related activities.
Patch guidance
Verify the latest available release from nextlevelbuilder and confirm it addresses CVE-2026-10217. Apply patches to all GoClaw instances, particularly those assigned the RoleAdmin Gateway role. Test the patch in a staging environment against role-based workflows to confirm privilege boundaries are correctly enforced before production deployment. Review any configuration changes made by users during the vulnerability window post-patch.
Detection guidance
Monitor for unauthorized privilege escalation attempts in GoClaw audit logs, particularly within the RoleAdmin Gateway component. Flag HTTP requests to tts_config.go endpoints that originate from non-administrative accounts or that attempt to modify role definitions. Correlation with authentication logs can identify suspicious login patterns followed by configuration manipulation. Network IDS rules targeting unexpected configuration save operations from low-privilege accounts may also surface exploitation attempts.
Why prioritize this
Although the CVSS score is MEDIUM, the ease of exploitation, the requirement for only standard user credentials, and the availability of a public exploit warrant prompt remediation. Privilege escalation vulnerabilities directly threaten the integrity of access control systems. Organizations should prioritize patching within 30 days, with more aggressive timelines for systems managing sensitive roles or handling critical operations.
Risk score, explained
The CVSS 3.1 score of 6.3 reflects a network-exploitable flaw requiring only low-privileged authentication. While the attack complexity is low and no user interaction is necessary, the impact is constrained to single systems (scope unchanged) and affects confidentiality, integrity, and availability at a partial level. The authenticated requirement prevents a higher score, but the combination of ease of exploitation and privilege-escalation impact places this in the upper range of MEDIUM severity.
Frequently asked questions
Do I need to immediately apply this patch?
If you run GoClaw 3.11.3 or earlier and have users with administrative roles or access to configuration, prioritize patching within 30 days. The public exploit and low barrier to exploitation increase urgency, especially if you manage sensitive role hierarchies. Assess your specific deployment and user base to determine if immediate patching is warranted.
Can this vulnerability be exploited without a valid account?
No. The vulnerability requires prior authentication—an attacker must have valid credentials to an instance of GoClaw. However, this includes any regular user account, not just administrators. If your organization uses shared credentials or has broad user bases with GoClaw access, the attack surface is larger.
What should I do while waiting for a patch to be tested?
Restrict who can access the RoleAdmin Gateway component and configuration endpoints. Review recent logs for unusual privilege modification requests. Consider implementing network segmentation to limit lateral movement from compromised user accounts. Strengthen monitoring of authentication and role-change events to detect exploitation attempts.
Will applying this patch break my existing role configurations?
Patching should not break existing configurations, but it will enforce privilege boundaries more strictly. Some user workflows that relied on the bypassed controls may be affected. Test in a non-production environment first, and prepare communication for affected teams before production deployment.
This advisory is based on CVE-2026-10217 as published on 2026-06-01 and modified through 2026-06-17. Information accuracy is dependent on vendor disclosures and public reporting. Organizations should verify patch availability and compatibility with their specific GoClaw deployment before applying updates. This summary does not constitute security advice; consult your security team and nextlevelbuilder's official documentation for your environment. The existence of a public exploit does not guarantee active in-the-wild exploitation, though it increases risk. No liability is accepted for decisions made based solely on this advisory. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-0046MEDIUMAndroid Tapjacking Permission Escalation Vulnerability
- CVE-2026-0048MEDIUMAndroid Tapjacking Vulnerability – Privilege Escalation via WindowState
- CVE-2026-0055MEDIUMAndroid Path Traversal in PackageInstallerService Enables Local Privilege Escalation to Device Policy Controller
- CVE-2026-0086MEDIUMAndroid DisableSupervisionActivity Privilege Escalation via Null Check Bypass
- CVE-2026-10070MEDIUMmacrozheng mall Admin Authorization Bypass in /admin/update/
- CVE-2026-10152MEDIUMImproper Access Control in TaleLin lin-cms-spring-boot Book Endpoint
- CVE-2026-10215MEDIUMDolibarr Leave Request API Authorization Bypass
- CVE-2026-10218MEDIUMGoClaw Improper Authorization Vulnerability (CVSS 5.4)