CVE-2026-44116
OpenClaw prior to version 2026.4.22 is affected by a server-side request forgery in the Zalo plugin’s sendPhoto function, failing to validate outbound photo URLs against the SSRF guard. An attacker can bypass SSRF protection by supplying malicious photo URLs to the Zalo Bot API, enabling unauthor...