CVE-2026-44116HIGH 8.6EPSS p20.6%

CVE-2026-44116CVE-2026-44116

Description

OpenClaw before 2026.4.22 contains a server-side request forgery vulnerability in the Zalo plugin's sendPhoto function that fails to validate outbound photo URLs through the SSRF guard. Attackers can bypass SSRF protection by providing malicious photo URLs to the Zalo Bot API, enabling unauthorized access to internal resources.

Scoring

CVSS 3.18.6 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
EPSS0.29% probability of exploitation · percentile 20.6% · 2026-06-18T12:00:27Z
Published2026-05-06
Last modified2026-05-07

Underlying weaknesses· 1

CWE-918

References

  1. https://github.com/openclaw/openclaw/commit/a65eb1b864b7630c1242a82de9e5799b80583c3f
  2. https://github.com/openclaw/openclaw/security/advisories/GHSA-2hh7-c75g-qj2r
  3. https://www.vulncheck.com/advisories/openclaw-server-side-request-forgery-in-zalo-photo-url-validation

1

TypeTargetConfidenceTier
WeaknessServer-Side Request Forgery (SSRF)cwe-9180%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-28467
CVE
CVE-2026-43526
CVE
CVE-2026-41914
CVE
CVE-2026-28451
CVE
CVE-2026-42439
CVE
CVE-2026-28454
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.