| ID |
CVE-2026-28467
|
| Sažetak |
OpenClaw versions prior to 2026.2.2 contain a server-side request forgery vulnerability in attachment and media URL hydration that allows remote attackers to fetch arbitrary HTTP(S) URLs. Attackers who can influence media URLs through model-controlled sendAttachment or auto-reply mechanisms can trigger SSRF to internal resources and exfiltrate fetched response bytes as outbound attachments. |
| Reference |
|
| CVSS |
| Base: | 6.5 |
| Impact: | 3.7 |
| Exploitability: | 2.2 |
|
| Pristup |
| Vektor | Složenost | Autentikacija |
| NETWORK |
HIGH |
NONE |
|
| Impact |
| Povjerljivost | Cjelovitost | Dostupnost |
| LOW |
LOW |
LOW |
|
| CVSS vektor |
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L |
| Zadnje važnije ažuriranje |
09-03-2026 - 15:28 |
| Objavljeno |
05-03-2026 - 22:16 |
