Skip to content
CVSS 8.6 · HIGH

CVE-2026-44116

OpenClaw before 2026.4.22 contains a server-side request forgery vulnerability in the Zalo plugin's sendPhoto function that fails to validate outbound photo URLs through the SSRF guard. Attackers can bypass SSRF protection by providing malicious photo URLs to the Zalo Bot API, enabling unauthorized access to internal resources.

View on NVD

Analysis

The vulnerability affects OpenClaw, a niche project, specifically within its Zalo messaging plugin. Since Zalo is not widely used in the Mexican market and the software itself has limited deployment in standard dev stacks, it does not warrant an alert for the community.

Severity

Score: 8.6(HIGH)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
AV: NETWORK
AC: LOW
PR: NONE
UI: NONE
S: CHANGED
C: HIGH
I: NONE
A: NONE
Weakness (CWE): CWE-918

EPSS

No EPSS score yet (CVE may be too fresh).

Technical description

OpenClaw before 2026.4.22 contains a server-side request forgery vulnerability in the Zalo plugin's sendPhoto function that fails to validate outbound photo URLs through the SSRF guard. Attackers can bypass SSRF protection by providing malicious photo URLs to the Zalo Bot API, enabling unauthorized access to internal resources.

Published: 5/6/2026, 8:16:35 PM
Last modified: 5/6/2026, 9:20:52 PM

References

HomeEventsBlogResourcesTeam