nextlevelbuilder GoClaw Team Task Completion Authorization Bypass Vulnerability

A vulnerability exists in nextlevelbuilder GoClaw versions through 3.11.3, specifically in the Team Task Completion Handler. The issue arises in the function 'TeamTasksTool.executeComplete' within 'internal/tools/team_tasks_lifecycle.go'. This vulnerability allows a team member to complete another member's in-progress task, bypassing authorization checks. The manipulation can be executed remotely, and the exploit is publicly available.

Impact

Exploitation of this vulnerability allows a team member to falsely complete a colleague's task and overwrite the task result with their own, potentially disrupting automated workflows and creating misleading records.

Reproduction

To reproduce this vulnerability, a GoClaw instance with the 'team_tasks' tool enabled is required. After ensuring a victim agent has an active task and an attacker agent is on the same team, the vulnerability can be exploited by invoking the 'team_tasks' tool to complete the victim's task, using the task ID obtained from the team's task list.