Home

Description

OpenClaw before 2026.4.8 contains a server-side request forgery vulnerability in QQ Bot media download paths that bypass SSRF protection. Attackers can exploit unprotected media fetch endpoints to access internal resources and bypass allowlist policies.

PUBLISHED Reserved 2026-04-22 | Published 2026-04-28 | Updated 2026-04-28 | Assigner VulnCheck




MEDIUM: 5.1CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:H/SI:L/SA:N

HIGH: 8.5CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N

Problem types

CWE-918 Server-Side Request Forgery (SSRF)

Product status

Default status
unaffected

Any version before 2026.4.8
affected

2026.4.8 (semver)
unaffected

Credits

Adithyan AK (@adithyan-ak) reporter

References

github.com/...enclaw/security/advisories/GHSA-3fv3-6p2v-gxwj (GitHub Security Advisory (GHSA-3fv3-6p2v-gxwj)) vendor-advisory

github.com/...ommit/d7c3210cd6f5fdfdc1beff4c9541673e814354d5 (Patch Commit) patch

www.vulncheck.com/...est-forgery-in-qq-bot-media-fetch-paths (VulnCheck Advisory: OpenClaw < 2026.4.8 - Server-Side Request Forgery in QQ Bot Media Fetch Paths) third-party-advisory

cve.org (CVE-2026-41914)

nvd.nist.gov (CVE-2026-41914)

Download JSON