poco-claw
CVE-2026-16016
MEDIUM
Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-reachable unauthenticated endpoint; SSRF enables scope change affecting subsequent internal systems; no direct availability impact on the vulnerable component.
Primary rating from Vendor (VulDB).
CVSS VectorVendor: VulDB
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
A vulnerability was identified in poco-ai poco-claw up to 0.5.4. This issue affects the function run_task of the file executor/app/api/v1/task.py. The manipulation of the argument callback_url leads to server-side request forgery. The attack is possible to be carried out remotely. The exploit is publicly available and might be used. The reported GitHub issue was closed automatically due to inactivity.
AnalysisAI
Server-side request forgery in poco-ai/poco-claw up to version 0.5.4 allows remote unauthenticated attackers to coerce the application server into issuing arbitrary HTTP requests to attacker-controlled destinations via the unvalidated callback_url parameter in the run_task API function. The flaw is exposed through the task execution endpoint at executor/app/api/v1/task.py and carries a publicly available proof-of-concept exploit referenced on GitHub. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The target must be running poco-ai/poco-claw version 0.5.4 or earlier with the task execution API endpoint reachable over a network accessible to the attacker. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 score of 5.5 (Medium) reflects AV:N/AC:L/AT:N/PR:N/UI:N, confirming unauthenticated, low-complexity, network-based exploitation with no special preconditions. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A remote unauthenticated attacker submits a crafted POST request to the poco-claw task API endpoint, setting the callback_url field to http://169.254.169.254/latest/meta-data/iam/security-credentials/ to target an AWS IMDSv1 metadata service. The server's run_task function issues the HTTP request without validating the destination, and the response containing temporary IAM credentials is relayed back to or observable by the attacker. … |
| Remediation | No vendor-released patch has been identified at time of analysis - the originating GitHub issue (https://github.com/poco-ai/poco-claw/issues/138) was closed automatically due to inactivity, signaling no remediation commitment from the maintainer. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Unauthenticated authorization bypass in poco-ai/poco-claw's Workspace API allows remote attackers to access arbitrary us
Missing authentication on the executor_manager control-plane API in poco-ai/poco-claw through version 0.5.4 allows adjac
Same weakness CWE-918 – Server-Side Request Forgery (SSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today