CVE-2026-43526

OpenClaw before 2026.4.12 contains a server-side request forgery vulnerability in QQBot reply media URL handling that allows attackers to fetch arbitrary content. Attackers can exploit this by providing malicious media URLs that trigger SSRF requests, with fetched bytes subsequently re-uploaded through the channel.

CVSS v3 8.2 HIGH

8.2^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 4.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/openclaw/openclaw/commit/08ae021d1f4f02e0ca5fd8a3b9659291c1ecf95a	Patch
https://github.com/openclaw/openclaw/commit/ddb7a8dd80b8d5dd04aafa44ce7a4354b568bb2d	Patch
https://github.com/openclaw/openclaw/security/advisories/GHSA-2767-2q9v-9326	Vendor Advisory
https://www.vulncheck.com/advisories/openclaw-server-side-request-forgery-via-qqbot-reply-media-url-handling	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*

History

07 May 2026, 01:57

Type	Values Removed	Values Added
CPE		cpe:2.3:a:openclaw:openclaw::::::node.js::*
First Time		Openclaw Openclaw openclaw
References	~~() https://github.com/openclaw/openclaw/commit/08ae021d1f4f02e0ca5fd8a3b9659291c1ecf95a -~~	() https://github.com/openclaw/openclaw/commit/08ae021d1f4f02e0ca5fd8a3b9659291c1ecf95a - Patch
References	~~() https://github.com/openclaw/openclaw/commit/ddb7a8dd80b8d5dd04aafa44ce7a4354b568bb2d -~~	() https://github.com/openclaw/openclaw/commit/ddb7a8dd80b8d5dd04aafa44ce7a4354b568bb2d - Patch
References	~~() https://github.com/openclaw/openclaw/security/advisories/GHSA-2767-2q9v-9326 -~~	() https://github.com/openclaw/openclaw/security/advisories/GHSA-2767-2q9v-9326 - Vendor Advisory
References	~~() https://www.vulncheck.com/advisories/openclaw-server-side-request-forgery-via-qqbot-reply-media-url-handling -~~	() https://www.vulncheck.com/advisories/openclaw-server-side-request-forgery-via-qqbot-reply-media-url-handling - Third Party Advisory

05 May 2026, 12:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-05-05 12:16

Updated : 2026-05-07 01:57

NVD link : CVE-2026-43526

Mitre link : CVE-2026-43526

CVE.ORG link : CVE-2026-43526

JSON object : View

Products Affected

openclaw

openclaw

CWE

CWE-918

Server-Side Request Forgery (SSRF)

8.2 /10