top of page
perceptive_background_267k.jpg

OpenClaw before 2026.4.8 contains a server-side request forgery vulnerability in QQ Bot media download paths that bypass SSRF protection. Attackers can exploit …

Published:

27 april 2026 om 22:00:00

Alert date:

28 april 2026 om 20:08:59

Source:

nvd.nist.gov

Click to open the original link from this advisory

Web Technologies

OpenClaw versions prior to 2026.4.8 contain a server-side request forgery (SSRF) vulnerability in QQ Bot media download functionality. The vulnerability allows attackers to bypass SSRF protection mechanisms through unprotected media fetch endpoints. Exploitation enables access to internal network resources and circumvention of allowlist security policies. The vulnerability affects the media download paths specifically within the QQ Bot component of OpenClaw. Patches and security advisories have been published to address this issue.

Technical details

Mitigation steps:

Affected products:

OpenClaw

Related links:

https://nvd.nist.gov/vuln/detail/CVE-2026-41914
https://github.com/openclaw/openclaw/commit/d7c3210cd6f5fdfdc1beff4c9541673e814354d5
https://github.com/openclaw/openclaw/security/advisories/GHSA-3fv3-6p2v-gxwj
https://www.vulncheck.com/advisories/openclaw-server-side-request-forgery-in-qq-bot-media-fetch-paths

Related CVE's:

Related threat actors:

IOC's:

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Deze website toont informatie afkomstig van externe bronnen; Perceptive aanvaardt geen verantwoordelijkheid voor de juistheid, volledigheid of actualiteit van deze informatie.

bottom of page