PT-2026-37323 · Npm · Openclaw
Publicado
2026-04-25
·
Atualizado
2026-04-25
CVSS v3.1
5.8
Média
| Vetor | AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N |
Affected Packages / Versions
- Package:
openclaw(npm) - Affected versions:
< 2026.4.20 - Patched version:
2026.4.20
Impact
The QQBot direct-upload media path could forward attacker-controlled image URLs without applying the SSRF validation used by the local download path. This could make configured QQBot media delivery request or relay URLs the operator did not intend to allow.
The affected path is limited to QQBot outbound media handling and does not expose arbitrary local files. Severity is low.
Fix
OpenClaw now validates QQBot direct-upload media URLs before
uploadC2CMedia and uploadGroupMedia direct-upload calls.Fix commit:
49db424c8001f2f419aad85f434894d8d85c1a09
Release
Fixed in OpenClaw
2026.4.20.Correção
SSRF
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Enumeração de Fraquezas
Identificadores relacionados
Produtos afetados
Openclaw