PT-2026-38249 · Openclaw · Zalo Plugin+1
Foodlook
·
Published
2026-05-04
·
Updated
2026-05-07
·
CVE-2026-44116
CVSS v3.1
8.6
High
| Vector | AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
OpenClaw versions prior to 2026.4.22
Description
A server-side request forgery (SSRF) issue exists in the Zalo plugin. The
sendPhoto() function fails to validate outbound photo URLs through the SSRF guard. This allows attackers to bypass protection by providing malicious photo URLs to the Zalo Bot API, potentially enabling unauthorized access to internal resources.Recommendations
Update to version 2026.4.22 or later.
As a temporary workaround, restrict access to the
sendPhoto() function within the Zalo plugin.Fix
SSRF
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Openclaw
Zalo Plugin