Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4Blast Radius
ecosystem impact- 1 npm packages depend on openclaw (1 direct, 0 indirect)
Ecosystem-wide dependent count for version 2026.4.22.
DescriptionCVE.org
OpenClaw before 2026.4.22 contains a server-side request forgery vulnerability in the Zalo plugin's sendPhoto function that fails to validate outbound photo URLs through the SSRF guard. Attackers can bypass SSRF protection by providing malicious photo URLs to the Zalo Bot API, enabling unauthorized access to internal resources.
AnalysisAI
Server-side request forgery in OpenClaw before version 2026.4.22 allows remote attackers to bypass SSRF protection in the Zalo plugin's sendPhoto function by providing malicious photo URLs, enabling unauthorized access to internal resources. The vulnerability affects the Zalo Bot API integration and requires network access but involves time-based attack complexity; no public exploit code or active exploitation has been confirmed.
Technical ContextAI
OpenClaw is a bot framework that includes a Zalo messaging plugin for integration with Zalo's Bot API. The vulnerability exists in the sendPhoto function within the Zalo plugin (extensions/zalo/src/api.ts), which accepts photo URLs as parameters. The root cause is CWE-918 (Server-Side Request Forgery), stemming from a failure to validate outbound photo URLs against OpenClaw's centralized SSRF protection mechanism before forwarding them to the Zalo API endpoint. The framework provides a shared SSRF guard via the resolvePinnedHostnameWithPolicy function from the openclaw/plugin-sdk/ssrf-runtime module, which validates hostnames against a pinned policy and blocks requests to private, internal, and special-use IP addresses (such as 169.254.169.254 metadata services). The vulnerable code path allowed photo URLs to bypass this guard, enabling attackers to craft requests that would cause the OpenClaw server to make HTTP requests to restricted internal resources on behalf of the application.
RemediationAI
Upgrade OpenClaw to version 2026.4.22 or later immediately. The fix includes validation of outbound photo URLs using the shared resolvePinnedHostnameWithPolicy function before posting to Zalo, plus routing of media-reply paths through guarded outbound media helpers. No workarounds are available for unpatched versions; however, as a temporary compensating control, administrators can restrict outbound HTTP/HTTPS access from OpenClaw servers to only whitelisted Zalo API endpoints and known-safe internal services, blocking access to metadata services (169.254.169.254), localhost ranges (127.0.0.0/8, ::1), and private networks (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16). This mitigation reduces attacker surface but may break legitimate photo URL handling if internal CDN or service URLs are in use. Vendor advisory and fix commit are available at https://github.com/openclaw/openclaw/commit/a65eb1b864b7630c1242a82de9e5799b80583c3f
Auth bypass in OpenClaw voice-call extension before 2026.2.1. EPSS 0.68%. PoC and patch available.
Privilege escalation in OpenClaw (pre-2026.3.28) allows unauthenticated remote attackers to gain administrative access b
OpenClaw versions 2026.2.22 through 2026.2.24 contain a privilege escalation vulnerability that allows authenticated att
An authorization mismatch vulnerability in OpenClaw versions prior to 2026.3.1 allows authenticated users with operator.
OpenClaw versions prior to 2026.1.29 automatically establish WebSocket connections to attacker-controlled gateway URLs e
Path traversal in OpenClaw through version 2026.3.23 enables unauthenticated remote attackers to read arbitrary files in
OpenClaw sandbox browser functionality launches x11vnc for noVNC observer sessions without requiring authentication, all
OpenClaw versions before 2026.2.26 allow authenticated attackers to write arbitrary files outside the workspace director
OpenClaw versions prior to 2026.2.22 contain a shell environment variable injection vulnerability in the system.run func
OpenClaw versions prior to 2026.2.22 contain a resource exhaustion vulnerability where the application fails to consiste
OpenClaw versions prior to 2026.3.1 contain a sandbox escape vulnerability that allows authenticated attackers with low
OpenClaw versions 2026.1.30 and below fail to validate Telegram webhook secret tokens when `channels.telegram.webhookSec
Same weakness CWE-918 – Server-Side Request Forgery (SSRF)
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-28197