CVE-2026-44117
MEDIUM WAF: Medium
CVSS 5.8
Published: 2026-05-06
CWE-918
OpenClaw before 2026.4.20 contains a server-side request forgery vulnerability in QQBot direct media upload that skips URL validation. Attackers can bypass SSRF protections by sending crafted image URLs to uploadC2CMedia and uploadGroupMedia endpoints to relay unintended requests.
WAF Coverage Analysis
Server-Side Request Forgery (SSRF)
Medium WAF Coverage
OWASP: A10:2021 SSRF
934xxx - Node.js / Generic Injection
Affected Software
| Vendor | Product | Version |
|---|---|---|
| openclaw | openclaw | up to 2026.4.20 |
References
- github.com (Patch)
- github.com (Mitigation, Vendor Advisory)
- www.vulncheck.com (Third Party Advisory)