CVE-2026-44117
Published
CVSS v3
5.8
MEDIUM
CVSS v2
N/A
Affected
1
PROJECT
Description
OpenClaw before 2026.4.20 contains a server-side request forgery vulnerability in QQBot direct media upload that skips URL validation. Attackers can bypass SSRF protections by sending crafted image URLs to uploadC2CMedia and uploadGroupMedia endpoints to relay unintended requests.
Your own personal AI assistant. Any OS. Any Platform. The lobster way. 🦞
GitHub