CVE-2026-24231
Received Received - Intake
SSRF Vulnerability in NVIDIA NemoClaw Enables Information Disclosure

Publication date: 2026-04-28

Last updated on: 2026-05-04

Assigner: NVIDIA Corporation

Description
NVIDIA NemoClaw contains a vulnerability in the validateEndpointUrl() SSRF protection component, where an attacker could cause a server-side request forgery by supplying a crafted endpoint URL referencing the 0.0.0.0/8 address range through a blueprint configuration file or CLI flag. A successful exploit of this vulnerability may lead to information disclosure.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-28
Last Modified
2026-05-04
Generated
2026-06-16
AI Q&A
2026-04-28
EPSS Evaluated
2026-06-15
NVD
CVE-2026-24231
EUVD
EUVD-2026-26080
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
nvidia nemoclaw to 0.0.13 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-24231 is a vulnerability in NVIDIA NemoClaw's validateEndpointUrl() component, which is intended to protect against server-side request forgery (SSRF).

An attacker can exploit this flaw by supplying a specially crafted endpoint URL that references the 0.0.0.0/8 IP address range through a blueprint configuration file or a command-line interface (CLI) flag.

Successful exploitation allows the attacker to perform SSRF attacks, potentially leading to information disclosure.

Compliance Impact

The provided information does not specify how the CVE-2026-24231 vulnerability in NVIDIA NemoClaw affects compliance with common standards and regulations such as GDPR or HIPAA.

Impact Analysis

This vulnerability can be exploited to perform server-side request forgery (SSRF), which may lead to unauthorized information disclosure.

Because the attacker can cause the system to make requests to internal or restricted IP address ranges (0.0.0.0/8), sensitive data could be exposed.

The CVSS v3.1 score indicates a medium severity with high confidentiality impact but no impact on integrity or availability.

Detection Guidance

The vulnerability involves supplying a crafted endpoint URL referencing the 0.0.0.0/8 IP address range through a blueprint configuration file or CLI flag in NVIDIA NemoClaw. Detection would involve inspecting these configuration files or CLI parameters for such crafted URLs.

No specific detection commands or network scanning techniques are provided in the available resources.

Mitigation Strategies

The primary mitigation step is to update NVIDIA NemoClaw to version v0.0.13 or later, where this vulnerability has been addressed.

Additionally, reviewing and sanitizing blueprint configuration files and CLI flags to ensure they do not contain endpoint URLs referencing the 0.0.0.0/8 IP address range can help reduce risk.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-24231. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart