The flaw is a server‑side request forgery that allows attackers to force the OpenClaw application to make outbound HTTP requests through its media fetch endpoints. By constructing malicious URLs, the attacker can bypass the built‑in SSRF protection and reach any internal server exposed to the application’s network, potentially leaking sensitive data or executing further attacks. The weakness is identified as CWE‑918 and carries a CVSS score of 5.1, indicating a medium severity if exploited. The vulnerability does not require local user privileges; it is driven by an attacker interacting with the QQ Bot interface. Affected systems: The OpenClaw platform, versions earlier than 2026.4.8, is impacted. The product is distributed under the OpenClaw:OpenClaw banner and is deployed on Node.js environments. Risk and exploitability: With a CVSS of 5.1 and no EPSS availability, the likelihood of exploitation is uncertain but the potential for internal compromise is significant. The vulnerability is not listed in the CISA KEV catalog. Attackers can trigger the SSRF by sending specially crafted media fetch requests to the QQ Bot endpoint, and the application will resolve the URL without validating the destination, enabling access to any internal resource reachable from the host. The absence of an allowlist and the ability to target arbitrary URLs makes this a classic SSRF scenario.

The OpenClaw platform, versions earlier than 2026.4.8, running on Node.js environments, is affected.

The CVSS score of 5.1 indicates medium severity, while the EPSS score is not available and the vulnerability is not in the CISA KEV catalog. The flaw is exploitable by sending crafted media fetch requests to the QQ Bot endpoint, enabling the attacker to reach internal resources that are otherwise protected by allowlist policies. The ability to bypass SSRF checks makes the risk of internal data exposure high if the application is reachable.