CVE-2026-44117

Sažetak

OpenClaw before 2026.4.20 contains a server-side request forgery vulnerability in QQBot direct media upload that skips URL validation. Attackers can bypass SSRF protections by sending crafted image URLs to uploadC2CMedia and uploadGroupMedia endpoints to relay unintended requests.

Reference

https://github.com/openclaw/openclaw/commit/49db424c8001f2f419aad85f434894d8d85c1a09
https://github.com/openclaw/openclaw/security/advisories/GHSA-c4qg-j8jg-42q5
https://www.vulncheck.com/advisories/openclaw-server-side-request-forgery-in-qqbot-direct-media-upload

CVSS

Base:	5.8
Impact:	1.4
Exploitability:	3.9

Pristup

Vektor	Složenost	Autentikacija
NETWORK	LOW	NONE

Impact

Povjerljivost	Cjelovitost	Dostupnost
LOW	NONE	NONE

CVSS vektor

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N

Zadnje važnije ažuriranje

07-05-2026 - 17:07

Objavljeno

06-05-2026 - 20:16