Skip to content
CVSS 8.6 · HIGH

CVE-2026-44116

OpenClaw before 2026.4.22 contains a server-side request forgery vulnerability in the Zalo plugin's sendPhoto function that fails to validate outbound photo URLs through the SSRF guard. Attackers can bypass SSRF protection by providing malicious photo URLs to the Zalo Bot API, enabling unauthorized access to internal resources.

Ver en NVD

Análisis

The vulnerability affects OpenClaw, a niche project, specifically within its Zalo messaging plugin. Since Zalo is not widely used in the Mexican market and the software itself has limited deployment in standard dev stacks, it does not warrant an alert for the community.

Severidad

Puntaje: 8.6(HIGH)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
AV: NETWORK
AC: LOW
PR: NONE
UI: NONE
S: CHANGED
C: HIGH
I: NONE
A: NONE
Tipo de falla (CWE): CWE-918

EPSS

Sin puntaje EPSS aún (CVE muy reciente).

Descripción técnica

OpenClaw before 2026.4.22 contains a server-side request forgery vulnerability in the Zalo plugin's sendPhoto function that fails to validate outbound photo URLs through the SSRF guard. Attackers can bypass SSRF protection by providing malicious photo URLs to the Zalo Bot API, enabling unauthorized access to internal resources.

Publicada: 6/5/2026, 20:16:35
Última modificación: 6/5/2026, 21:20:52

Referencias

InicioEventosBlogRecursosEquipo