CVE-2026-44116 MEDIUM

CVE-2026-44116: OpenClaw < 2026.4.22 - Server-Side Request Forgery in Zalo Photo URL Validation

Vendor Openclaw
Product OpenClaw
Weakness CWE-918 · SSRF
Published May 6, 2026
Last update May 7, 2026

CVSS base score

6.9/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:H/SI:N/SA:N

What the vulnerability does

01Description

OpenClaw before 2026.4.22 contains a server-side request forgery vulnerability in the Zalo plugin's sendPhoto function that fails to validate outbound photo URLs through the SSRF guard. Attackers can bypass SSRF protection by providing malicious photo URLs to the Zalo Bot API, enabling unauthorized access to internal resources.

Key dates

02Disclosure timeline

May 6, 2026 CVE published
May 7, 2026 Record updated