nextlevelbuilder GoClaw Unauthenticated Admin Access and Webhook Forgery Vulnerability

A critical authentication bypass vulnerability has been identified in nextlevelbuilder GoClaw versions through 3.11.3. When the 'GOCLAW_GATEWAY_TOKEN' is unset, the 'resolveAuth' function in 'internal/http/auth.go' grants admin privileges to unauthenticated requests. This flaw allows remote exploitation by invoking sensitive HTTP endpoints or executing tools with elevated privileges. Additionally, webhook handlers for Feishu and Pancake bypass signature verification if their respective secrets are not configured, enabling the acceptance of forged payloads as legitimate.

Impact

Exploitation of this vulnerability allows unauthenticated users to access admin-only HTTP endpoints, such as those for managing MCP servers or invoking tools, which could lead to unauthorized actions or data exposure. Furthermore, without proper webhook verification, an attacker could send spoofed messages that are processed as trusted events, potentially triggering actions within the application.

Reproduction

To reproduce this vulnerability, deploy GoClaw with the 'GOCLAW_GATEWAY_TOKEN' unset or empty. Expose the HTTP listener to the attacker. For the webhook exploitation, configure a Feishu or Pancake channel instance without the necessary verification secret. Once the environment is set, the vulnerability can be exploited by sending a request to a privileged endpoint without authentication or by delivering a forged webhook event to an unprotected callback URL.