What is CVE-2026-43526?

CVE-2026-43526 is a high-severity vulnerability in Openclaw, classified under Server-Side Request Forgery (SSRF). CVSS score: 8.2/10. Published 2026-05-05.

How severe is CVE-2026-43526?

High severity. CVSS v3 base score is 8.2 out of 10.

SSRF in Openclaw

CVE-2026-43526

OpenClaw before 2026.4.12 contains a server-side request forgery vulnerability in QQBot reply media URL handling that allows attackers to fetch arbitrary content. Attackers can exploit this by providing malicious media URLs that trigger SS…

Vulnerability class: SSRF (Server-Side Request Forgery)

EPSS: 0.000 (12.8th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 8.2 (High). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N.

Affected products

Openclaw — versions 0, 2026.4.12

Weakness classification (CWE)

CWE-918 — Server-Side Request Forgery (SSRF)

References

GitHub Security Advisory (GHSA-2767-2q9v-9326) (vendor-advisory, Vendor Advisory)
Patch Commit (1) (Patch, patch)
Patch Commit (2) (Patch, patch)
VulnCheck Advisory: OpenClaw < 2026.4.12 - Server-Side Request Forgery via QQBot Reply Media URL Handling (Third Party Advisory, third-party-advisory)

Frequently asked questions

What is CVE-2026-43526?: CVE-2026-43526 is a high-severity vulnerability in Openclaw, classified under Server-Side Request Forgery (SSRF). CVSS score: 8.2/10. Published 2026-05-05.
How severe is CVE-2026-43526?: High severity. CVSS v3 base score is 8.2 out of 10.