Skip to main content

OpenClaw CVE-2026-44116

| EUVDEUVD-2026-28197 MEDIUM
Server-Side Request Forgery (SSRF) (CWE-918)
2026-05-06 disclosure@vulncheck.com
6.9
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
6.9 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

4
Patch available
May 06, 2026 - 21:03 EUVD
Source Code Evidence Fetched
May 06, 2026 - 20:37 vuln.today
Analysis Generated
May 06, 2026 - 20:37 vuln.today
CVE Published
May 06, 2026 - 20:16 nvd
MEDIUM 6.9

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 1 npm packages depend on openclaw (1 direct, 0 indirect)

Ecosystem-wide dependent count for version 2026.4.22.

DescriptionCVE.org

OpenClaw before 2026.4.22 contains a server-side request forgery vulnerability in the Zalo plugin's sendPhoto function that fails to validate outbound photo URLs through the SSRF guard. Attackers can bypass SSRF protection by providing malicious photo URLs to the Zalo Bot API, enabling unauthorized access to internal resources.

AnalysisAI

Server-side request forgery in OpenClaw before version 2026.4.22 allows remote attackers to bypass SSRF protection in the Zalo plugin's sendPhoto function by providing malicious photo URLs, enabling unauthorized access to internal resources. The vulnerability affects the Zalo Bot API integration and requires network access but involves time-based attack complexity; no public exploit code or active exploitation has been confirmed.

Technical ContextAI

OpenClaw is a bot framework that includes a Zalo messaging plugin for integration with Zalo's Bot API. The vulnerability exists in the sendPhoto function within the Zalo plugin (extensions/zalo/src/api.ts), which accepts photo URLs as parameters. The root cause is CWE-918 (Server-Side Request Forgery), stemming from a failure to validate outbound photo URLs against OpenClaw's centralized SSRF protection mechanism before forwarding them to the Zalo API endpoint. The framework provides a shared SSRF guard via the resolvePinnedHostnameWithPolicy function from the openclaw/plugin-sdk/ssrf-runtime module, which validates hostnames against a pinned policy and blocks requests to private, internal, and special-use IP addresses (such as 169.254.169.254 metadata services). The vulnerable code path allowed photo URLs to bypass this guard, enabling attackers to craft requests that would cause the OpenClaw server to make HTTP requests to restricted internal resources on behalf of the application.

RemediationAI

Upgrade OpenClaw to version 2026.4.22 or later immediately. The fix includes validation of outbound photo URLs using the shared resolvePinnedHostnameWithPolicy function before posting to Zalo, plus routing of media-reply paths through guarded outbound media helpers. No workarounds are available for unpatched versions; however, as a temporary compensating control, administrators can restrict outbound HTTP/HTTPS access from OpenClaw servers to only whitelisted Zalo API endpoints and known-safe internal services, blocking access to metadata services (169.254.169.254), localhost ranges (127.0.0.0/8, ::1), and private networks (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16). This mitigation reduces attacker surface but may break legitimate photo URL handling if internal CDN or service URLs are in use. Vendor advisory and fix commit are available at https://github.com/openclaw/openclaw/commit/a65eb1b864b7630c1242a82de9e5799b80583c3f

CVE-2026-28446 CRITICAL POC
9.4 Mar 05

Auth bypass in OpenClaw voice-call extension before 2026.2.1. EPSS 0.68%. PoC and patch available.

CVE-2026-33579 CRITICAL POC
9.4 Mar 31

Privilege escalation in OpenClaw (pre-2026.3.28) allows unauthenticated remote attackers to gain administrative access b

CVE-2026-32042 HIGH POC
8.8 Mar 21

OpenClaw versions 2026.2.22 through 2026.2.24 contain a privilege escalation vulnerability that allows authenticated att

CVE-2026-32051 HIGH POC
8.8 Mar 21

An authorization mismatch vulnerability in OpenClaw versions prior to 2026.3.1 allows authenticated users with operator.

CVE-2026-25253 HIGH POC
8.8 Feb 01

OpenClaw versions prior to 2026.1.29 automatically establish WebSocket connections to attacker-controlled gateway URLs e

CVE-2026-32846 HIGH POC
8.7 Mar 26

Path traversal in OpenClaw through version 2026.3.23 enables unauthenticated remote attackers to read arbitrary files in

CVE-2026-32064 HIGH POC
7.7 Mar 21

OpenClaw sandbox browser functionality launches x11vnc for noVNC observer sessions without requiring authentication, all

CVE-2026-32055 HIGH POC
7.6 Mar 21

OpenClaw versions before 2026.2.26 allow authenticated attackers to write arbitrary files outside the workspace director

CVE-2026-32056 HIGH POC
7.5 Mar 21

OpenClaw versions prior to 2026.2.22 contain a shell environment variable injection vulnerability in the system.run func

CVE-2026-32049 HIGH POC
7.5 Mar 21

OpenClaw versions prior to 2026.2.22 contain a resource exhaustion vulnerability where the application fails to consiste

CVE-2026-32048 HIGH POC
7.5 Mar 21

OpenClaw versions prior to 2026.3.1 contain a sandbox escape vulnerability that allows authenticated attackers with low

CVE-2026-25474 HIGH POC
7.5 Feb 19

OpenClaw versions 2026.1.30 and below fail to validate Telegram webhook secret tokens when `channels.telegram.webhookSec

Share

CVE-2026-44116 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy