CVE-2026-16084

Sipeed · PicoClaw

A Server-Side Request Forgery vulnerability in Sipeed PicoClaw allows unauthenticated attackers to manipulate server-side requests.

Executive summary

An unauthenticated Server-Side Request Forgery vulnerability in Sipeed PicoClaw presents a high risk of unauthorized internal network access.

Vulnerability

The software is susceptible to Server-Side Request Forgery (CWE-918), where an unauthenticated attacker can influence the application to make requests to unintended locations. The vulnerability is accessible over the network without requiring user interaction.

Business impact

The ability to perform SSRF can lead to the compromise of internal services, leakage of cloud metadata, or unauthorized access to internal APIs. With a CVSS score of 7.3, the vulnerability is classified as high severity, and it could serve as a pivot point for further lateral movement within a corporate network.

Remediation

Immediate Action: Update Sipeed PicoClaw to a version that includes the fix provided in commit c15aac21fe05ee103a470e1104bc891754e83392.

Proactive Monitoring: Inspect application logs for anomalous outbound HTTP/HTTPS requests that do not align with expected application behavior.

Compensating Controls: Utilize a Web Application Firewall (WAF) to filter and block suspicious URL parameters that might be used to trigger external requests to restricted internal resources.

Exploitation status

Public Exploit Available: Unknown

Analyst recommendation

System administrators must act promptly to update all instances of PicoClaw to the patched release. Given the ease of exploitation, failure to update leaves the internal environment vulnerable to reconnaissance and potential exploitation by remote, unauthenticated threat actors.