GHSA-2hh7-c75g-qj2r
Suggest an improvement- Source
- https://github.com/advisories/GHSA-2hh7-c75g-qj2r
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-2hh7-c75g-qj2r/GHSA-2hh7-c75g-qj2r.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-2hh7-c75g-qj2r
- Aliases
-
- CVE-2026-44116
- Downstream
- Published
- 2026-05-04T20:21:11Z
- Modified
- 2026-05-12T17:10:14.854202Z
- Severity
-
- 8.6 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N CVSS Calculator
- 6.9 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:H/SI:N/SA:N CVSS Calculator
- Summary
- OpenClaw validates Zalo outbound photo URLs through the SSRF guard
- Details
-
Summary
Zalo outbound photo URLs are validated through the SSRF guard.
Affected Packages / Versions
- Package: openclaw (npm)
- Affected versions: <= 2026.4.21
- Fixed version: 2026.4.22
Impact
The Zalo plugin could forward an attacker-controlled outbound photo URL to the Zalo Bot API without first applying OpenClaw's SSRF validation policy.
Fix
Zalo sendPhoto now parses and validates outbound photo URLs with the shared SSRF hostname policy before posting to Zalo, and media-reply paths route through the guarded outbound media helpers.
Fix Commit(s)
- a65eb1b864b7630c1242a82de9e5799b80583c3f
Verification
- The fix commit is contained in the public v2026.4.22 tag.
- openclaw@2026.4.22 is published on npm and the compiled package contains the fix.
- Focused regression coverage for this path passed before publication.
OpenClaw thanks @foodlook for reporting.
- Database specific
{ "github_reviewed": true, "severity": "MODERATE", "nvd_published_at": null, "cwe_ids": [ "CWE-918" ], "github_reviewed_at": "2026-05-04T20:21:11Z" }- References
-
- https://github.com/openclaw/openclaw/security/advisories/GHSA-2hh7-c75g-qj2r
- https://nvd.nist.gov/vuln/detail/CVE-2026-44116
- https://github.com/openclaw/openclaw/commit/a65eb1b864b7630c1242a82de9e5799b80583c3f
- https://github.com/openclaw/openclaw
- https://www.vulncheck.com/advisories/openclaw-server-side-request-forgery-in-zalo-photo-url-validation
Affected packages
npm / openclaw
Package
- Name
- openclaw
- View open source insights on deps.dev
- Purl
- pkg:npm/openclaw