CVE-2026-41914
SSRF Vulnerability in OpenClaw QQ Bot Media Download Bypasses Protection
Publication date: 2026-04-28
Last updated on: 2026-04-30
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| openclaw | openclaw | to 2026.4.8 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-918 | The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-41914 is a Server-Side Request Forgery (SSRF) vulnerability found in OpenClaw versions before 2026.4.8, specifically in the QQ Bot media download paths.
This vulnerability allows attackers to exploit unprotected media fetch endpoints by bypassing SSRF protections and allowlist policies.
As a result, attackers can make the server access internal resources that should normally be protected.
How can this vulnerability impact me? :
The vulnerability enables attackers with low privileges and no user interaction to bypass security controls and access internal resources.
This can lead to unauthorized access to sensitive internal systems or data, potentially compromising the integrity of those resources.
However, the impact on confidentiality and availability is rated as none, while integrity impact is low.
What immediate steps should I take to mitigate this vulnerability?
The immediate step to mitigate this vulnerability is to upgrade OpenClaw to version 2026.4.8 or later, where the SSRF vulnerability in the QQ Bot media download paths has been fixed.
This update ensures that media download requests are properly routed through SSRF guards and allowlist policies, preventing unauthorized access to internal resources.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
CVE-2026-41914 allows attackers to bypass SSRF protections and allowlist policies to access internal resources via unprotected media fetch endpoints in OpenClaw. This unauthorized access to internal resources could potentially lead to exposure of sensitive data.
Such unauthorized access and potential data exposure may impact compliance with data protection regulations like GDPR and HIPAA, which require strict controls on access to personal and sensitive information.
However, the provided information does not explicitly detail the direct compliance implications or specific data types affected.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
To detect the CVE-2026-41914 vulnerability on your system, you should check if your OpenClaw installation is a version prior to 2026.4.8, as those versions contain the SSRF vulnerability in the QQ Bot media download paths.
Detection can involve monitoring network traffic for unusual or unauthorized requests to internal resources originating from the QQ Bot media fetch endpoints, which may indicate exploitation attempts.
While no specific detection commands are provided in the resources, general approaches include:
- Reviewing OpenClaw version with a command like `openclaw --version` or checking the package version in your environment.
- Using network monitoring tools (e.g., tcpdump, Wireshark) to capture and analyze outgoing requests from the QQ Bot media download paths for suspicious internal resource access.
- Searching application logs for requests to media fetch endpoints that bypass SSRF protections or allowlist policies.
To mitigate detection and exploitation, ensure your OpenClaw installation is updated to version 2026.4.8 or later, where the vulnerability has been patched.