CVE-2026-24231

MEDIUM

NVIDIA NemoClaw < 0.0.13 - Server-Side Request Forgery via validateEndpointUrl() Bypass

Title source: llm

Description

NVIDIA NemoClaw contains a vulnerability in the validateEndpointUrl() SSRF protection component, where an attacker could cause a server-side request forgery by supplying a crafted endpoint URL referencing the 0.0.0.0/8 address range through a blueprint configuration file or CLI flag. A successful exploit of this vulnerability may lead to information disclosure.

References (3)

Core 3

Core References

https://nvd.nist.gov/vuln/detail/CVE-2026-24231

https://www.cve.org/CVERecord?id=CVE-2026-24231

https://nvidia.custhelp.com/app/answers/detail/a_id/5837

Scores

CVSS v3 6.3

EPSS 0.0013

EPSS Percentile 2.8%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-918

Status published

Products (2)

nvidia/nemoclaw < 0.0.13

NVIDIA/NemoClaw All versions prior to v0.0.13

Published Apr 28, 2026

Tracked Since Apr 29, 2026