Duplicate Advisory: OpenClaw: QQBot direct media upload skipped URL SSRF validation

GHSA-r747-33r4-rmjw

Published May 6, 2026 · Modified May 11, 2026

Description

Duplicate Advisory

This advisory has been withdrawn because it is a duplicate of GHSA-c4qg-j8jg-42q5. This link is maintained to preserve external references.

Original Description

OpenClaw before 2026.4.20 contains a server-side request forgery vulnerability in QQBot direct media upload that skips URL validation. Attackers can bypass SSRF protections by sending crafted image URLs to uploadC2CMedia and uploadGroupMedia endpoints to relay unintended requests.

References

WEB https://github.com/openclaw/openclaw/security/advisories/GHSA-c4qg-j8jg-42q5
ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2026-44117
WEB https://github.com/openclaw/openclaw/commit/49db424c8001f2f419aad85f434894d8d85c1a09
WEB https://www.vulncheck.com/advisories/openclaw-server-side-request-forgery-in-qqbot-direct-media-upload

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes