Primary

Context

OpenClaw Server-Side Request Forgery Vulnerability in QQBot Media URL Handling

Vulnerability

A server-side request forgery (SSRF) vulnerability has been identified in OpenClaw versions prior to 2026.4.12. This vulnerability arises in the handling of media URLs by the QQBot reply feature, allowing attackers to fetch arbitrary content. Exploitation involves sending malicious media URLs that trigger SSRF requests, with the retrieved data being re-uploaded through the channel.

Impact

Exploitation of this vulnerability allows for unauthorized fetching of content from internal or external resources, with the fetched data being re-uploaded through the affected channel, potentially leading to further exploitation or data exposure.

Remediation

Users are advised to upgrade to OpenClaw version 2026.4.12 or later. The latest npm release, 2026.4.14, includes the necessary fix.

Added: May 5, 2026, 12:36 PM

Updated: May 5, 2026, 12:36 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

8.1

remediation

0.0

relevance

7.5

threat

3.2

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

8.1

remediation

0.0

relevance

7.5

threat

3.2

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

OpenClaw Server-Side Request Forgery Vulnerability in QQBot Media URL Handling

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating