{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/zalo/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":8.6,"id":"CVE-2026-44116"}],"_cs_exploited":false,"_cs_products":["OpenClaw","Zalo plugin"],"_cs_severities":["high"],"_cs_tags":["ssrf","cve-2026-44116","openclaw","zalo"],"_cs_type":"advisory","_cs_vendors":["OpenClaw"],"content_html":"\u003cp\u003eOpenClaw, a web application, is susceptible to a server-side request forgery (SSRF) vulnerability (CVE-2026-44116) affecting versions prior to 2026.4.22. The vulnerability resides within the Zalo plugin\u0026rsquo;s sendPhoto function, specifically in how it validates outbound photo URLs. The absence of proper SSRF guard validation allows a malicious actor to craft photo URLs that, when processed by the Zalo Bot API, can bypass intended security controls. This can lead to unauthorized access to internal resources that would otherwise be protected. Successful exploitation enables an attacker to make requests on behalf of the server, potentially exposing sensitive data or enabling further malicious activity within the internal network.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies an OpenClaw instance running a version prior to 2026.4.22 with the Zalo plugin enabled.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious photo URL designed to target an internal resource.\u003c/li\u003e\n\u003cli\u003eThe attacker utilizes the Zalo Bot API to send a request including the crafted malicious photo URL to the sendPhoto function.\u003c/li\u003e\n\u003cli\u003eThe sendPhoto function attempts to retrieve the photo from the attacker-controlled URL without proper SSRF validation.\u003c/li\u003e\n\u003cli\u003eThe OpenClaw server makes an HTTP request to the internal resource specified in the malicious URL.\u003c/li\u003e\n\u003cli\u003eThe internal resource responds to the OpenClaw server, potentially disclosing sensitive information.\u003c/li\u003e\n\u003cli\u003eThe attacker retrieves the response from the internal resource, gaining unauthorized access to sensitive data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-44116 can lead to the exposure of sensitive internal resources. An attacker could potentially access internal databases, configuration files, or other services that are not intended to be exposed to the public internet. The specific impact depends on the nature of the internal resources accessible and could range from information disclosure to remote code execution if coupled with other vulnerabilities. The lack of specific victim numbers or targeted sectors in the report makes quantification difficult, but the high CVSS score suggests a significant potential for damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade OpenClaw to version 2026.4.22 or later to patch the SSRF vulnerability in the Zalo plugin\u0026rsquo;s sendPhoto function as stated in the vulnerability description.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect OpenClaw Zalo Plugin SSRF Attempt\u003c/code\u003e to monitor for suspicious requests to internal resources originating from the OpenClaw server.\u003c/li\u003e\n\u003cli\u003eReview and harden internal network segmentation to limit the impact of potential SSRF vulnerabilities as the successful exploitation could expose internal resources.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-06T20:16:35Z","date_published":"2026-05-06T20:16:35Z","id":"/briefs/2026-05-openclaw-ssrf/","summary":"OpenClaw before 2026.4.22 is vulnerable to server-side request forgery (SSRF) due to improper validation of outbound photo URLs in the Zalo plugin's sendPhoto function, allowing attackers to potentially access internal resources by providing malicious photo URLs to the Zalo Bot API.","title":"OpenClaw SSRF Vulnerability in Zalo Plugin (CVE-2026-44116)","url":"https://feed.craftedsignal.io/briefs/2026-05-openclaw-ssrf/"}],"language":"en","title":"CraftedSignal Threat Feed — Zalo","version":"https://jsonfeed.org/version/1.1"}