GHSA-c4qg-j8jg-42q5: OpenClaw: QQBot direct media upload skipped URL SSRF validation

April 25, 2026

The QQBot direct-upload media path could forward attacker-controlled image URLs without applying the SSRF validation used by the local download path. This could make configured QQBot media delivery request or relay URLs the operator did not intend to allow.

The affected path is limited to QQBot outbound media handling and does not expose arbitrary local files. Severity is low.

References

github.com/advisories/GHSA-c4qg-j8jg-42q5
github.com/openclaw/openclaw
github.com/openclaw/openclaw/commit/49db424c8001f2f419aad85f434894d8d85c1a09
github.com/openclaw/openclaw/security/advisories/GHSA-c4qg-j8jg-42q5

Code Behaviors & Features

Detect and mitigate GHSA-c4qg-j8jg-42q5 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →