High severity8.6NVD Advisory· Published May 6, 2026· Updated May 7, 2026
CVE-2026-44116
CVE-2026-44116
Description
OpenClaw before 2026.4.22 contains a server-side request forgery vulnerability in the Zalo plugin's sendPhoto function that fails to validate outbound photo URLs through the SSRF guard. Attackers can bypass SSRF protection by providing malicious photo URLs to the Zalo Bot API, enabling unauthorized access to internal resources.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
openclawnpm | < 2026.4.22 | 2026.4.22 |
Affected products
2Patches
Vulnerability mechanics
References
5- github.com/openclaw/openclaw/commit/a65eb1b864b7630c1242a82de9e5799b80583c3fnvdPatchWEB
- github.com/advisories/GHSA-2hh7-c75g-qj2rghsaADVISORY
- github.com/openclaw/openclaw/security/advisories/GHSA-2hh7-c75g-qj2rnvdMitigationVendor AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2026-44116ghsaADVISORY
- www.vulncheck.com/advisories/openclaw-server-side-request-forgery-in-zalo-photo-url-validationnvdThird Party AdvisoryWEB
News mentions
0No linked articles in our index yet.