Vulnerability in poco-ai poco-claw Leads to Server-Side Request Forgery (CVE-2026-16016)
A high-severity server-side request forgery (SSRF) vulnerability, identified as CVE-2026-16016, exists in poco-ai's poco-claw software up to version 0.5.4, allowing remote attackers to manipulate the `callback_url` argument in the `run_task` function to force the server to make arbitrary requests, with a public exploit available posing an immediate risk.
A high-severity server-side request forgery (SSRF) vulnerability, tracked as CVE-2026-16016, has been identified in poco-ai poco-claw versions up to and including 0.5.4. This flaw specifically affects the run_task function located within the executor/app/api/v1/task.py file. Attackers can exploit this vulnerability by manipulating the callback_url argument, compelling the affected poco-claw instance to initiate arbitrary requests to internal or external systems. The vulnerability can be exploited remotely, and a public exploit is known to be available, indicating an increased risk of active exploitation. Defenders should prioritize patching and monitoring for unusual outbound connections from affected systems to mitigate potential information disclosure or internal network access.
Attack Chain
- An attacker discovers an internet-facing instance of
poco-ai poco-clawversion 0.5.4 or earlier. - The attacker crafts an HTTP POST request targeting the
run_taskfunction exposed via the/api/v1/task.pyendpoint on the vulnerable server. - Within the request, the attacker provides a maliciously constructed internal or external URL as the value for the
callback_urlargument. - The vulnerable
poco-clawapplication, lacking proper input validation for thecallback_urlparameter, processes therun_taskrequest. - The
run_taskfunction initiates an outbound HTTP request from thepoco-clawhost to the URL specified by the attacker incallback_url. - This server-side request is performed by the
poco-clawinstance, allowing the attacker to interact with internal network resources, bypass firewall restrictions, or perform network scans from the server's context. - The attacker receives or infers the response to the SSRF-induced request, gathering information about internal services or performing actions on behalf of the
poco-clawserver. - This gained access or information can then be leveraged for further reconnaissance, lateral movement within the network, or data exfiltration.
Impact
Successful exploitation of CVE-2026-16016 leads to server-side request forgery, which can have significant consequences. Attackers can leverage this to bypass network access controls, scan internal networks, access sensitive internal services, or exfiltrate data from systems that are otherwise unreachable from the internet. The remote exploitability and public availability of exploit code increase the likelihood of widespread attacks, potentially leading to unauthorized access to critical internal infrastructure and sensitive information.
Recommendation
- Patch all
poco-ai poco-clawinstances to a version greater than 0.5.4 immediately to remediate CVE-2026-16016. - Deploy the Sigma rule "Detect Potential Server-Side Request Forgery to Private IPs" to your SIEM and tune it for your environment.
- Enable comprehensive network connection logging for servers running
poco-clawapplications to monitor for unusual outbound requests. - Implement outbound firewall rules to restrict network connections initiated by the
poco-clawapplication only to necessary and approved destinations.
Detection coverage 1
Detect Potential Server-Side Request Forgery to Private IPs
highDetects outbound network connections from a server to private IP address ranges, which can indicate successful exploitation of Server-Side Request Forgery (SSRF) vulnerabilities like CVE-2026-16016.
Detection queries are available on the platform. Get full rules →