CVE-2026-44116
HIGHOpenClaw < 2026.4.22 - Server-Side Request Forgery in Zalo Photo URL Validation
Title source: cnaDescription
OpenClaw before 2026.4.22 contains a server-side request forgery vulnerability in the Zalo plugin's sendPhoto function that fails to validate outbound photo URLs through the SSRF guard. Attackers can bypass SSRF protection by providing malicious photo URLs to the Zalo Bot API, enabling unauthorized access to internal resources.
References (3)
Core 3
Core References
Vendor Advisory vendor-advisory
GitHub Security Advisory (GHSA-2hh7-c75g-qj2r)
https://github.com/openclaw/openclaw/security/advisories/GHSA-2hh7-c75g-qj2r
Patch patch
Patch Commit
https://github.com/openclaw/openclaw/commit/a65eb1b864b7630c1242a82de9e5799b80583c3f
Third Party Advisory third-party-advisory
VulnCheck Advisory: OpenClaw < 2026.4.22 - Server-Side Request Forgery in Zalo Photo URL Validation
https://www.vulncheck.com/advisories/openclaw-server-side-request-forgery-in-zalo-photo-url-validation
Scores
CVSS v3
8.6
EPSS
0.0004
EPSS Percentile
13.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-918
Status
published
Products (4)
npm/openclaw
0 - 2026.4.22npm
OpenClaw/OpenClaw
< 2026.4.22
openclaw/openclaw
< 2026.4.22
OpenClaw/OpenClaw
2026.4.22
Published
May 06, 2026
Tracked Since
May 07, 2026