{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/poco-ai/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.3,"id":"CVE-2026-16016"}],"_cs_exploited":true,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["poco-claw \u003c= 0.5.4"],"_cs_severities":["high"],"_cs_tags":["server-side-request-forgery","ssrf","web-vulnerability","python","remote-code-execution","cve"],"_cs_type":"threat","_cs_vendors":["poco-ai"],"content_html":"\u003cp\u003eA high-severity server-side request forgery (SSRF) vulnerability, tracked as CVE-2026-16016, has been identified in \u003ccode\u003epoco-ai poco-claw\u003c/code\u003e versions up to and including 0.5.4. This flaw specifically affects the \u003ccode\u003erun_task\u003c/code\u003e function located within the \u003ccode\u003eexecutor/app/api/v1/task.py\u003c/code\u003e file. Attackers can exploit this vulnerability by manipulating the \u003ccode\u003ecallback_url\u003c/code\u003e argument, compelling the affected \u003ccode\u003epoco-claw\u003c/code\u003e instance to initiate arbitrary requests to internal or external systems. The vulnerability can be exploited remotely, and a public exploit is known to be available, indicating an increased risk of active exploitation. Defenders should prioritize patching and monitoring for unusual outbound connections from affected systems to mitigate potential information disclosure or internal network access.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker discovers an internet-facing instance of \u003ccode\u003epoco-ai poco-claw\u003c/code\u003e version 0.5.4 or earlier.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts an HTTP POST request targeting the \u003ccode\u003erun_task\u003c/code\u003e function exposed via the \u003ccode\u003e/api/v1/task.py\u003c/code\u003e endpoint on the vulnerable server.\u003c/li\u003e\n\u003cli\u003eWithin the request, the attacker provides a maliciously constructed internal or external URL as the value for the \u003ccode\u003ecallback_url\u003c/code\u003e argument.\u003c/li\u003e\n\u003cli\u003eThe vulnerable \u003ccode\u003epoco-claw\u003c/code\u003e application, lacking proper input validation for the \u003ccode\u003ecallback_url\u003c/code\u003e parameter, processes the \u003ccode\u003erun_task\u003c/code\u003e request.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003erun_task\u003c/code\u003e function initiates an outbound HTTP request from the \u003ccode\u003epoco-claw\u003c/code\u003e host to the URL specified by the attacker in \u003ccode\u003ecallback_url\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThis server-side request is performed by the \u003ccode\u003epoco-claw\u003c/code\u003e instance, allowing the attacker to interact with internal network resources, bypass firewall restrictions, or perform network scans from the server's context.\u003c/li\u003e\n\u003cli\u003eThe attacker receives or infers the response to the SSRF-induced request, gathering information about internal services or performing actions on behalf of the \u003ccode\u003epoco-claw\u003c/code\u003e server.\u003c/li\u003e\n\u003cli\u003eThis gained access or information can then be leveraged for further reconnaissance, lateral movement within the network, or data exfiltration.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-16016 leads to server-side request forgery, which can have significant consequences. Attackers can leverage this to bypass network access controls, scan internal networks, access sensitive internal services, or exfiltrate data from systems that are otherwise unreachable from the internet. The remote exploitability and public availability of exploit code increase the likelihood of widespread attacks, potentially leading to unauthorized access to critical internal infrastructure and sensitive information.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003ePatch all \u003ccode\u003epoco-ai poco-claw\u003c/code\u003e instances to a version greater than 0.5.4 immediately to remediate CVE-2026-16016.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;Detect Potential Server-Side Request Forgery to Private IPs\u0026quot; to your SIEM and tune it for your environment.\u003c/li\u003e\n\u003cli\u003eEnable comprehensive network connection logging for servers running \u003ccode\u003epoco-claw\u003c/code\u003e applications to monitor for unusual outbound requests.\u003c/li\u003e\n\u003cli\u003eImplement outbound firewall rules to restrict network connections initiated by the \u003ccode\u003epoco-claw\u003c/code\u003e application only to necessary and approved destinations.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-17T14:18:18Z","date_published":"2026-07-17T14:18:18Z","id":"https://feed.craftedsignal.io/briefs/2026-07-poco-claw-ssrf/","summary":"A high-severity server-side request forgery (SSRF) vulnerability, identified as CVE-2026-16016, exists in poco-ai's poco-claw software up to version 0.5.4, allowing remote attackers to manipulate the `callback_url` argument in the `run_task` function to force the server to make arbitrary requests, with a public exploit available posing an immediate risk.","title":"Vulnerability in poco-ai poco-claw Leads to Server-Side Request Forgery (CVE-2026-16016)","url":"https://feed.craftedsignal.io/briefs/2026-07-poco-claw-ssrf/"}],"language":"en","title":"CraftedSignal Threat Feed - Poco-Ai","version":"https://jsonfeed.org/version/1.1"}