7 matches found
CVE-2026-16123 nextlevelbuilder GoClaw Invoke Endpoint tools_invoke.go ToolsInvokeHandler.ServeHTTP authorization
A weakness has been identified in nextlevelbuilder GoClaw up to 3.13.2. Affected by this issue is the function ToolsInvokeHandler.ServeHTTP of the file internal/http/toolsinvoke.go of the component Invoke Endpoint. This manipulation causes missing authorization. The attack can be initiated...
CVE-2026-16123
The vulnerability CVE-2026-16123 affects nextlevelbuilder GoClaw up to version 3.13.2. It resides in ToolsInvokeHandler.ServeHTTP (internal/http/tools_invoke.go, Invoke Endpoint) and is caused by a manipulation that leads to missing authorization. This allows remote exploitation, with a public ex...
EUVD-2026-45384
A weakness has been identified in nextlevelbuilder GoClaw up to 3.13.2. Affected by this issue is the function ToolsInvokeHandler.ServeHTTP of the file internal/http/toolsinvoke.go of the component Invoke Endpoint. This manipulation causes missing authorization. The attack can be initiated...
PT-2026-60970
A weakness has been identified in nextlevelbuilder GoClaw up to 3.13.2. Affected by this issue is the function ToolsInvokeHandler.ServeHTTP of the file internal/http/tools invoke.go of the component Invoke Endpoint. This manipulation causes missing authorization. The attack can be initiated...
CVE-2026-61684
FastGPT is a knowledge-based AI application platform. In 4.15.0-beta4, FastGPT plugin invoke reverse-call endpoints under /api/invoke/ authenticate only by verifying a JWT signed with INVOKETOKENSECRET, which defaults to the constant string token and was not set in official deployment templates. ...
EUVD-2026-44676
FastGPT is a knowledge-based AI application platform. In 4.15.0-beta4, FastGPT plugin invoke reverse-call endpoints under /api/invoke/ authenticate only by verifying a JWT signed with INVOKETOKENSECRET, which defaults to the constant string token and was not set in official deployment templates. ...
GHSA-943Q-MWMV-HHVH OpenClaw: Gateway /tools/invoke tool escalation + ACP permission auto-approval
Summary OpenClaw Gateway exposes an authenticated HTTP endpoint POST /tools/invoke intended for invoking a constrained set of tools. Two issues could combine to significantly increase blast radius in misconfigured or exposed deployments: - The HTTP gateway layer did not deny high-risk session...