PT-2026-38250 · Openclaw · Openclaw
Foodlook
·
Published
2026-04-25
·
Updated
2026-05-07
·
CVE-2026-44117
CVSS v3.1
5.8
Medium
| Vector | AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
OpenClaw versions prior to 2026.4.20
Description
An issue in QQBot direct media upload allows for server-side request forgery (SSRF), a flaw where a server is tricked into making requests to an unintended location. This occurs because URL validation is skipped. Attackers can bypass protections by sending crafted image URLs to the 'uploadC2CMedia' and 'uploadGroupMedia' endpoints to relay unauthorized requests.
Recommendations
Update to version 2026.4.20.
As a temporary workaround, restrict access to the 'uploadC2CMedia' and 'uploadGroupMedia' endpoints to minimize the risk of exploitation.
Fix
SSRF
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Openclaw