CVE-2026-44116 — HIGH (8.6)

Q: How severe is CVE-2026-44116?

CVE-2026-44116 has been rated HIGH with a CVSS base score of 8.6/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2026-44116?

Check the references section above for vendor advisories and patch information. Affected products include: Openclaw Openclaw.

Vulnerability Description

OpenClaw before 2026.4.22 contains a server-side request forgery vulnerability in the Zalo plugin's sendPhoto function that fails to validate outbound photo URLs through the SSRF guard. Attackers can bypass SSRF protection by providing malicious photo URLs to the Zalo Bot API, enabling unauthorized access to internal resources.

CVSS Score

8.6

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality

HIGH

Integrity

NONE

Availability

NONE

Affected Products

Vendor	Product	Versions
Openclaw	Openclaw	< 2026.4.22

Related Weaknesses (CWE)

CWE-918

References

https://github.com/openclaw/openclaw/commit/a65eb1b864b7630c1242a82de9e5799b8058Patch
https://github.com/openclaw/openclaw/security/advisories/GHSA-2hh7-c75g-qj2rMitigationVendor Advisory
https://www.vulncheck.com/advisories/openclaw-server-side-request-forgery-in-zalThird Party Advisory

FAQ

What is CVE-2026-44116?

CVE-2026-44116 is a vulnerability with a CVSS score of 8.6 (HIGH). OpenClaw before 2026.4.22 contains a server-side request forgery vulnerability in the Zalo plugin's sendPhoto function that fails to validate outbound photo URLs through the SSRF guard. Attackers can ...

How severe is CVE-2026-44116?

CVE-2026-44116 has been rated HIGH with a CVSS base score of 8.6/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2026-44116?

Check the references section above for vendor advisories and patch information. Affected products include: Openclaw Openclaw.