CVE-2026-24231
SSRF Vulnerability in NVIDIA NemoClaw Enables Information Disclosure
Publication date: 2026-04-28
Last updated on: 2026-05-04
Assigner: NVIDIA Corporation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| nvidia | nemoclaw | to 0.0.13 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-918 | The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify how the CVE-2026-24231 vulnerability in NVIDIA NemoClaw affects compliance with common standards and regulations such as GDPR or HIPAA.
Can you explain this vulnerability to me?
CVE-2026-24231 is a vulnerability in NVIDIA NemoClaw's validateEndpointUrl() component, which is intended to protect against server-side request forgery (SSRF).
An attacker can exploit this flaw by supplying a specially crafted endpoint URL that references the 0.0.0.0/8 IP address range through a blueprint configuration file or a command-line interface (CLI) flag.
Successful exploitation allows the attacker to perform SSRF attacks, potentially leading to information disclosure.
How can this vulnerability impact me? :
This vulnerability can be exploited to perform server-side request forgery (SSRF), which may lead to unauthorized information disclosure.
Because the attacker can cause the system to make requests to internal or restricted IP address ranges (0.0.0.0/8), sensitive data could be exposed.
The CVSS v3.1 score indicates a medium severity with high confidentiality impact but no impact on integrity or availability.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
The vulnerability involves supplying a crafted endpoint URL referencing the 0.0.0.0/8 IP address range through a blueprint configuration file or CLI flag in NVIDIA NemoClaw. Detection would involve inspecting these configuration files or CLI parameters for such crafted URLs.
No specific detection commands or network scanning techniques are provided in the available resources.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to update NVIDIA NemoClaw to version v0.0.13 or later, where this vulnerability has been addressed.
Additionally, reviewing and sanitizing blueprint configuration files and CLI flags to ensure they do not contain endpoint URLs referencing the 0.0.0.0/8 IP address range can help reduce risk.