OpenClaw releases prior to 2026.4.22 contain a server‑side request forgery in the Zalo plugin’s sendPhoto method. The function does not validate outbound photo URLs against the configured SSRF guard, allowing any attacker who can invoke the Zalo Bot API to supply a malicious URL. This flaw gives an attacker the ability to force the server to perform requests to arbitrary internal resources, exposing data or enabling further footholds. The weakness is the same that is identified in CWE‑918, which governs unsafe requests from an application to an arbitrary host.

Affected products are the OpenClaw chatbot framework, specifically all installations older than the 2026.4.22 release. Any deployment that uses the Zalo plugin and has the sendPhoto capability enabled before that version is vulnerable. The CPE indicates that the issue exists in node.js environments running OpenClaw. No patch versions are provided in the advisory; users should migrate to 2026.4.22 or later.

The CVSS score of 6.9 marks the vulnerability as moderate, and the EPSS score is not available, so the exact likelihood of exploitation cannot be quantified – the attack vector is likely through the public API exposed by the Zalo bot. Because the flaw allows arbitrary outbound connections, attackers can reach internal systems that are otherwise protected by network segmentation. The vulnerability is not yet listed in the CISA KEV catalog, and no public exploits have been reported, but the nature of SSRF suggests that an attacker could use it to pivot into the internal network or exfiltrate sensitive data.