GHSA-c4qg-j8jg-42q5: OpenClaw SSRF — LOW

Q: Is GHSA-c4qg-j8jg-42q5 actively exploited?

No confirmed active exploitation of GHSA-c4qg-j8jg-42q5 has been reported, but organizations should still patch proactively.

Q: How to fix GHSA-c4qg-j8jg-42q5?

1. Upgrade openclaw to 2026.4.20 (fix commit 49db424c). 2. If immediate upgrade is not feasible, disable QQBot direct-upload media functionality at the application or network level. 3. Apply egress filtering on the openclaw host to block requests to RFC-1918 ranges and cloud metadata endpoints (169.254.169.254, fd00::/8). 4. Audit outbound HTTP request logs from the openclaw process for anomalous destinations. 5. Given the 135-CVE history, evaluate whether openclaw should remain in your AI agent dependency stack.

Q: What systems are affected by GHSA-c4qg-j8jg-42q5?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, chatbot integrations, cloud-hosted AI agents.

Q: What is the CVSS score for GHSA-c4qg-j8jg-42q5?

No CVSS score has been assigned yet.

CISO Take

A Server-Side Request Forgery vulnerability in openclaw's QQBot direct-upload media path allows an attacker to supply arbitrary image URLs that the server will forward without applying the SSRF validation enforced on the local download path, potentially enabling unauthorized outbound requests to internal infrastructure. With only 4 downstream dependents and no public exploit, KEV listing, or EPSS data, exploitation likelihood is low — but openclaw's track record of 135 CVEs in the same package signals systemic security hygiene issues that should inform your AI agent dependency risk posture. Operators running openclaw-based QQBot deployments in cloud environments (where SSRF can reach metadata endpoints) face higher effective risk than the low CVSS rating implies. Patch to version 2026.4.20 immediately; no workaround is available for the unpatched path.

Sources: GitHub Advisory ATLAS CISA KEV

What is the risk?

Low baseline severity per CVSS, but contextually elevated for cloud-hosted AI agent deployments. The vulnerability is constrained to QQBot outbound media handling and does not expose local files. However, SSRF in cloud environments can reach AWS/GCP/Azure instance metadata endpoints (169.254.169.254), internal VPCs, and non-public services. The absence of EPSS data and public exploits keeps this in the monitor-and-patch category rather than emergency response. The 135 CVE history for this package is a red flag for dependency risk.

How does the attack unfold?

Malicious URL Injection

Attacker sends a QQBot message to a bot powered by openclaw, embedding an attacker-controlled image URL targeting an internal resource such as a cloud metadata endpoint.

AML.T0049

SSRF Trigger

openclaw's QQBot direct-upload path forwards the attacker-supplied URL to uploadC2CMedia or uploadGroupMedia without applying SSRF validation, causing the server to issue an unauthorized outbound HTTP request.

AML.T0053

Internal Reconnaissance

The server's outbound request reaches internal infrastructure (cloud metadata, private services, RFC-1918 hosts), allowing the attacker to probe internal network topology or retrieve sensitive data such as IAM credentials.

AML.T0086

Credential or Data Exfiltration

If the SSRF reaches a cloud metadata endpoint (e.g., AWS IMDSv1), the attacker retrieves temporary credentials enabling lateral movement from the AI agent's cloud identity.

Malicious URL Injection

Attacker sends a QQBot message to a bot powered by openclaw, embedding an attacker-controlled image URL targeting an internal resource such as a cloud metadata endpoint.

AML.T0049

SSRF Trigger

openclaw's QQBot direct-upload path forwards the attacker-supplied URL to uploadC2CMedia or uploadGroupMedia without applying SSRF validation, causing the server to issue an unauthorized outbound HTTP request.

AML.T0053

Internal Reconnaissance

The server's outbound request reaches internal infrastructure (cloud metadata, private services, RFC-1918 hosts), allowing the attacker to probe internal network topology or retrieve sensitive data such as IAM credentials.

AML.T0086

Credential or Data Exfiltration

If the SSRF reaches a cloud metadata endpoint (e.g., AWS IMDSv1), the attacker retrieves temporary credentials enabling lateral movement from the AI agent's cloud identity.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
OpenClaw	npm	< 2026.4.20	`2026.4.20`
4 dependents 37% patched ~3d to patch Full package profile →

Do you use OpenClaw? You're affected.

How severe is it?

CVSS 3.1

N/A

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Trivial

What should I do?

5 steps

Upgrade openclaw to 2026.4.20 (fix commit 49db424c).
If immediate upgrade is not feasible, disable QQBot direct-upload media functionality at the application or network level.
Apply egress filtering on the openclaw host to block requests to RFC-1918 ranges and cloud metadata endpoints (169.254.169.254, fd00::/8).
Audit outbound HTTP request logs from the openclaw process for anomalous destinations.
Given the 135-CVE history, evaluate whether openclaw should remain in your AI agent dependency stack.

How is it classified?

Supply Chain Data Extraction Agent Plugin AML.T0049 - Exploit Public-Facing Application AML.T0053 - AI Agent Tool Invocation AML.T0086 - Exfiltration via AI Agent Tool Invocation

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Art.15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.2.5 - AI system security

NIST AI RMF

MANAGE-2.2 - Treatments are maintained and documented

OWASP LLM Top 10

LLM08 - Excessive Agency

Frequently Asked Questions

What is GHSA-c4qg-j8jg-42q5?

A Server-Side Request Forgery vulnerability in openclaw's QQBot direct-upload media path allows an attacker to supply arbitrary image URLs that the server will forward without applying the SSRF validation enforced on the local download path, potentially enabling unauthorized outbound requests to internal infrastructure. With only 4 downstream dependents and no public exploit, KEV listing, or EPSS data, exploitation likelihood is low — but openclaw's track record of 135 CVEs in the same package signals systemic security hygiene issues that should inform your AI agent dependency risk posture. Operators running openclaw-based QQBot deployments in cloud environments (where SSRF can reach metadata endpoints) face higher effective risk than the low CVSS rating implies. Patch to version 2026.4.20 immediately; no workaround is available for the unpatched path.

Is GHSA-c4qg-j8jg-42q5 actively exploited?

No confirmed active exploitation of GHSA-c4qg-j8jg-42q5 has been reported, but organizations should still patch proactively.

How to fix GHSA-c4qg-j8jg-42q5?

1. Upgrade openclaw to 2026.4.20 (fix commit 49db424c). 2. If immediate upgrade is not feasible, disable QQBot direct-upload media functionality at the application or network level. 3. Apply egress filtering on the openclaw host to block requests to RFC-1918 ranges and cloud metadata endpoints (169.254.169.254, fd00::/8). 4. Audit outbound HTTP request logs from the openclaw process for anomalous destinations. 5. Given the 135-CVE history, evaluate whether openclaw should remain in your AI agent dependency stack.

What systems are affected by GHSA-c4qg-j8jg-42q5?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, chatbot integrations, cloud-hosted AI agents.

What is the CVSS score for GHSA-c4qg-j8jg-42q5?

No CVSS score has been assigned yet.

What is the AI security impact?

Affected AI Architectures

agent frameworkschatbot integrationscloud-hosted AI agents

MITRE ATLAS Techniques

AML.T0049 Exploit Public-Facing Application

AML.T0053 AI Agent Tool Invocation

AML.T0086 Exfiltration via AI Agent Tool Invocation

Compliance Controls Affected

EU AI Act: Art.15

ISO 42001: A.6.2.5

NIST AI RMF: MANAGE-2.2

OWASP LLM Top 10: LLM08

What are the technical details?

Original Advisory

## Affected Packages / Versions - Package: `openclaw` (npm) - Affected versions: `< 2026.4.20` - Patched version: `2026.4.20` ## Impact The QQBot direct-upload media path could forward attacker-controlled image URLs without applying the SSRF validation used by the local download path. This could make configured QQBot media delivery request or relay URLs the operator did not intend to allow. The affected path is limited to QQBot outbound media handling and does not expose arbitrary local files. Severity is low. ## Fix OpenClaw now validates QQBot direct-upload media URLs before `uploadC2CMedia` and `uploadGroupMedia` direct-upload calls. Fix commit: - `49db424c8001f2f419aad85f434894d8d85c1a09` ## Release Fixed in OpenClaw `2026.4.20`.

Exploitation Scenario

An attacker sends a QQBot message to an AI agent running openclaw, embedding a crafted image URL pointing to an internal target such as http://169.254.169.254/latest/meta-data/ (AWS IMDSv1) or an internal microservice. When the agent processes the message and triggers the direct-upload path, openclaw forwards the attacker-controlled URL to uploadC2CMedia or uploadGroupMedia without SSRF validation. The server issues an outbound HTTP request to the target, and the response — including cloud credentials or internal service data — may be observable through error messages, timing differences, or logged responses, enabling internal network reconnaissance.

Weaknesses (CWE)

CWE-918 Server-Side Request Forgery (SSRF) Primary

CWE-918 — Server-Side Request Forgery (SSRF): The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

Source: MITRE CWE corpus.