What is CVE-2026-44116?

CVE-2026-44116 is a high-severity vulnerability in Openclaw, classified under Server-Side Request Forgery (SSRF). CVSS score: 8.6/10. Published 2026-05-06.

How severe is CVE-2026-44116?

High severity. CVSS v3 base score is 8.6 out of 10.

SSRF in Openclaw

CVE-2026-44116

OpenClaw before 2026.4.22 contains a server-side request forgery vulnerability in the Zalo plugin's sendPhoto function that fails to validate outbound photo URLs through the SSRF guard. Attackers can bypass SSRF protection by providing mal…

Vulnerability class: SSRF (Server-Side Request Forgery)

EPSS: 0.000 (13.8th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 8.6 (High). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N.

Affected products

Openclaw — versions 0, 2026.4.22

Weakness classification (CWE)

CWE-918 — Server-Side Request Forgery (SSRF)

References

Patch Commit (Patch, patch)
GitHub Security Advisory (GHSA-2hh7-c75g-qj2r) (vendor-advisory, Mitigation, Vendor Advisory)
VulnCheck Advisory: OpenClaw < 2026.4.22 - Server-Side Request Forgery in Zalo Photo URL Validation (Third Party Advisory, third-party-advisory)

Frequently asked questions

What is CVE-2026-44116?: CVE-2026-44116 is a high-severity vulnerability in Openclaw, classified under Server-Side Request Forgery (SSRF). CVSS score: 8.6/10. Published 2026-05-06.
How severe is CVE-2026-44116?: High severity. CVSS v3 base score is 8.6 out of 10.