Skip to content
Threat Feed
high advisory

CVE-2026-16125: Server-Side Request Forgery in zevorn rt-claw

A critical server-side request forgery (SSRF) vulnerability, identified as CVE-2026-16125, affects zevorn rt-claw versions up to and including 0.2.0, residing in the claw_net_get/claw_net_post functions within the http_request component, allowing remote attackers to manipulate the URL argument and access internal resources or perform port scanning.

What's new

  • l2 added detection rule: Detect CVE-2026-16127 Exploitation - Zevorn RT-Claw SSRF Attempt Jul 18, 16:20 via nvd
  • l2 added CVE-2026-16126 Jul 18, 16:19 via nvd

A significant server-side request forgery (SSRF) vulnerability, tracked as CVE-2026-16125, has been identified in zevorn rt-claw software, specifically impacting versions up to and including 0.2.0. This flaw exists within the claw_net_get and claw_net_post functions located in the claw/services/tools/net.c file, part of the application's http_request component. Attackers can remotely exploit this vulnerability by manipulating the url argument, leading to the application making requests to arbitrary internal or external destinations. This allows adversaries to bypass network access controls, gather sensitive information, or interact with services not intended for public exposure. An exploit for CVE-2026-16125 has been publicly released, increasing the urgency for users to address this vulnerability to prevent potential compromise of internal systems.

Attack Chain

  1. Attacker identifies an internet-facing zevorn rt-claw application instance running version 0.2.0 or earlier.
  2. Attacker crafts a specially formed HTTP request targeting the vulnerable claw_net_get or claw_net_post functions.
  3. The crafted request includes a manipulated url argument containing an arbitrary internal IP address, hostname, or sensitive service endpoint.
  4. The zevorn rt-claw application processes this malicious url parameter without adequate validation or sanitization.
  5. The application's http_request component then makes an unintended, server-side outbound connection to the attacker-specified internal or external resource.
  6. This server-side request forgery (SSRF) allows the attacker to bypass network segmentation, probe internal services, or access metadata services (e.g., cloud instance metadata).
  7. The final objective can range from internal network reconnaissance and information disclosure to potential further exploitation of discovered internal services or exfiltration of sensitive data.

Impact

A successful exploitation of CVE-2026-16125 can have severe consequences, rated with a CVSS v3.1 Base Score of 7.3 (High). The primary impact includes unauthorized access to internal network resources, bypassing network firewalls and segmentation. Attackers can use this vulnerability to perform port scanning of internal hosts, access sensitive web services, or retrieve cloud provider metadata, which often contains credentials or configuration details. This can lead to significant information disclosure, lateral movement within the network, and potentially complete system compromise, enabling further sophisticated attacks against the organization's infrastructure.

Recommendation

  • Patch CVE-2026-16125 immediately by updating zevorn rt-claw to a version greater than 0.2.0, once released by the vendor.
  • Monitor your webserver logs for the rt-claw application for unusual url parameters containing internal IP addresses, non-standard ports, or suspicious domain names.

Detection coverage 1

Detect CVE-2026-16127 Exploitation - Zevorn RT-Claw SSRF Attempt

high

Detects CVE-2026-16127 exploitation - Server-Side Request Forgery vulnerability in zevorn rt-claw, by monitoring web server logs for suspicious URL arguments targeting internal resources.

sigma tactics: collection, discovery, initial_access techniques: T1005, T1046, T1190 sources: webserver

Detection queries are available on the platform. Get full rules →

Indicators of compromise

2

email

8

url

TypeValue
urlhttps://github.com/zevorn/rt-claw/
urlhttps://github.com/zevorn/rt-claw/issues/135
urlhttps://github.com/zevorn/rt-claw/issues/137
urlhttps://vuldb.com/cve/CVE-2026-16126
urlhttps://vuldb.com/submit/856870
urlhttps://vuldb.com/submit/856871
urlhttps://vuldb.com/vuln/379838
urlhttps://vuldb.com/vuln/379838/cti
emailnvd@nist.gov
emailsoc@us-cert.gov