CVE-2026-41914HIGH 8.5EPSS p12.1%

CVE-2026-41914CVE-2026-41914

Description

OpenClaw before 2026.4.8 contains a server-side request forgery vulnerability in QQ Bot media download paths that bypass SSRF protection. Attackers can exploit unprotected media fetch endpoints to access internal resources and bypass allowlist policies.

Scoring

CVSS 3.18.5 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N
EPSS0.22% probability of exploitation · percentile 12.1% · 2026-06-19T12:03:05Z
Published2026-04-28
Last modified2026-04-30

Underlying weaknesses· 1

CWE-918

References

  1. https://github.com/openclaw/openclaw/commit/d7c3210cd6f5fdfdc1beff4c9541673e814354d5
  2. https://github.com/openclaw/openclaw/security/advisories/GHSA-3fv3-6p2v-gxwj
  3. https://www.vulncheck.com/advisories/openclaw-server-side-request-forgery-in-qq-bot-media-fetch-paths

1

TypeTargetConfidenceTier
WeaknessServer-Side Request Forgery (SSRF)cwe-9180%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-43526
CVE
CVE-2026-28451
CVE
CVE-2026-43533
CVE
CVE-2026-28467
CVE
CVE-2026-34507
CVE
CVE-2026-44116
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.