CVE-2026-16196
Received Received - Intake

Server-Side Request Forgery in Sipeed PicoClaw

Vulnerability report for CVE-2026-16196, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-18

Last updated on: 2026-07-18

Assigner: VulDB

Description

A weakness has been identified in Sipeed PicoClaw up to 0.2.9. Impacted is the function isPrivateOrRestrictedIP of the file pkg/tools/integration/web.go of the component web_fetch. This manipulation causes server-side request forgery. The attack can be initiated remotely. The exploit has been made available to the public and could be used for attacks. Patch name: 2efbe5d560e7ed9bc5209c203dc4aa6ecdbc7405. To fix this issue, it is recommended to deploy a patch.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-18
Last Modified
2026-07-18
Generated
2026-07-19
AI Q&A
2026-07-19
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
sipeed pico_claw to 0.2.9 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability is a server-side request forgery (SSRF) in Sipeed PicoClaw up to version 0.2.9. It exists in the function isPrivateOrRestrictedIP within the file pkg/tools/integration/web.go of the web_fetch component. An attacker can remotely initiate requests that should be restricted, potentially accessing internal systems or data.

Detection Guidance

The vulnerability CVE-2026-16196 is related to a server-side request forgery in Sipeed PicoClaw up to version 0.2.9. To detect it, check if the affected component (pkg/tools/integration/web.go) is present and inspect network traffic for unusual requests originating from the system. No specific commands are provided in the context.

Impact Analysis

The impact includes unauthorized access to internal resources, data exfiltration, or potential denial of service. Since the exploit is public, attackers could use it to send crafted requests to internal systems, bypassing network restrictions. The vulnerability affects confidentiality, integrity, and availability of affected systems.

Compliance Impact

This vulnerability enables server-side request forgery (SSRF), which could allow unauthorized access to internal systems or data. Such access may lead to violations of data protection requirements under GDPR or HIPAA if sensitive information is exposed or improperly handled.

Mitigation Strategies

Update Sipeed PicoClaw to the patched version using the provided patch name 2efbe5d560e7ed9bc5209c203dc4aa6ecdbc7405. Remove any public exposure of the vulnerable function isPrivateOrRestrictedIP in pkg/tools/integration/web.go.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-16196. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart