CVE-2026-44116
HIGH WAF: Medium
CVSS 8.6
Published: 2026-05-06
CWE-918
OpenClaw before 2026.4.22 contains a server-side request forgery vulnerability in the Zalo plugin's sendPhoto function that fails to validate outbound photo URLs through the SSRF guard. Attackers can bypass SSRF protection by providing malicious photo URLs to the Zalo Bot API, enabling unauthorized access to internal resources.
WAF Coverage Analysis
Server-Side Request Forgery (SSRF)
Medium WAF Coverage
OWASP: A10:2021 SSRF
934xxx - Node.js / Generic Injection
Affected Software
| Vendor | Product | Version |
|---|---|---|
| openclaw | openclaw | up to 2026.4.22 |
References
- github.com (Patch)
- github.com (Mitigation, Vendor Advisory)
- www.vulncheck.com (Third Party Advisory)