CVE-2026-16016
poco-ai · poco-claw
A Server-Side Request Forgery vulnerability in poco-ai poco-claw allows unauthenticated attackers to manipulate server-side requests.
Executive summary
An unauthenticated Server-Side Request Forgery vulnerability in poco-ai poco-claw is currently associated with a known proof-of-concept, elevating the risk of exploitation.
Vulnerability
This is a Server-Side Request Forgery (CWE-918) vulnerability that permits an unauthenticated attacker to force the server to perform requests to arbitrary targets. The vulnerability is remotely exploitable without user interaction.
Business impact
This vulnerability carries a CVSS score of 7.3, indicating a high risk to business operations. Exploitation can lead to the exposure of internal-only systems or the exfiltration of sensitive data that is otherwise protected by network perimeters.
Remediation
Immediate Action: Monitor the project repository for the release of a patched version and apply it immediately.
Proactive Monitoring: Monitor network traffic for unusual outbound connections from the server hosting the application to internal resources or unexpected external IPs.
Compensating Controls: Deploy WAF rules designed to detect and block malicious URL schemes or prohibited IP addresses in request parameters to prevent the SSRF from succeeding.
Exploitation status
Public Exploit Available: Unknown
Analyst recommendation
Due to the existence of a proof-of-concept and the high-severity nature of the vulnerability, organizations should treat this as a priority update. If an immediate patch is not available, implement strict network-level egress controls to prevent the server from accessing sensitive internal infrastructure.