CVE-2026-43526: OpenClaw QQBot SSRF Flaw Exposes Content Fetching

The National Vulnerability Database has disclosed CVE-2026-43526, a critical Server-Side Request Forgery (SSRF) vulnerability impacting OpenClaw versions prior to 2026.4.12. This flaw resides within the QQBot’s handling of media URLs. Attackers can exploit this by submitting crafted media URLs, compelling the server to request arbitrary content from external or internal sources. The fetched data is then re-uploaded via the channel, potentially exfiltrating sensitive information or enabling further network reconnaissance.

The National Vulnerability Database assigns this vulnerability a CVSS score of 8.2 (HIGH), highlighting its significant risk. The lack of specified affected products in the initial reporting means administrators must proactively investigate their OpenClaw deployments. This SSRF vulnerability bypasses typical network access controls by leveraging the server’s own outbound request capabilities, making it a potent tool for attackers seeking to probe internal networks or access cloud resources.

Defenders should prioritize patching OpenClaw instances to version 2026.4.12 or later immediately. For systems that cannot be patched promptly, implementing strict network segmentation and egress filtering is crucial. Monitoring outbound traffic for unusual requests originating from the QQBot service can help detect exploitation attempts. Organizations should also review access controls for the QQBot service to limit its ability to initiate network requests.