CVE-2026-43526
OpenClaw before 2026.4.12 contains a server-side request forgery vulnerability in QQBot reply media URL handling that allows attackers to fetch arbitrary content. Attackers can exploit this by providing malicious media URLs that trigger SSRF requests, with fetched bytes subsequently re-uploaded through the channel.
Ver en NVDAnálisis
OpenClaw is a niche bot/server project, and the vulnerability specifically impacts QQBot integration, which is popular in the Chinese ecosystem but rare in the Mexican developer community. Despite the high CVSS score, the product lacks the widespread deployment needed for a general alert.
Severidad
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:NCWE-918EPSS
Afecta
openclaw:openclawDescripción técnica
OpenClaw before 2026.4.12 contains a server-side request forgery vulnerability in QQBot reply media URL handling that allows attackers to fetch arbitrary content. Attackers can exploit this by providing malicious media URLs that trigger SSRF requests, with fetched bytes subsequently re-uploaded through the channel.
Referencias
- https://github.com/openclaw/openclaw/commit/08ae021d1f4f02e0ca5fd8a3b9659291c1ecf95a
- https://github.com/openclaw/openclaw/commit/ddb7a8dd80b8d5dd04aafa44ce7a4354b568bb2d
- https://github.com/openclaw/openclaw/security/advisories/GHSA-2767-2q9v-9326
- https://www.vulncheck.com/advisories/openclaw-server-side-request-forgery-via-qqbot-reply-media-url-handling