Vulnerability  ·  2026-07-19

poco-ai poco-claw SSRF via callback_url in Task Executor

VulnerabilityMedium impactGlobalCVE-2026-16016
NVD published a high-severity (CVSS 7.3) SSRF vulnerability in poco-claw's task executor, triggered via the callback_url parameter of the run_task function, with a public exploit already available.
poco-claw is an AI agent execution/task platform; SSRF in its task callback mechanism can be used to reach internal cloud metadata services or internal-only systems from the agent execution environment, a common pivot point for further compromise of AI infrastructure.
The run_task function in executor/app/api/v1/task.py accepts a callback_url argument that is not validated, allowing an attacker to manipulate it to force the server to make requests to arbitrary internal or external endpoints (SSRF), remotely and with a publicly available exploit.
poco-ai poco-claw up to 0.5.4
No official patch confirmed at disclosure time; restrict/validate callback_url to an allowlist of trusted hosts and block requests to internal/metadata IP ranges.
poco-ai poco-claw GitHub repository
See this in the live feed Explore related AI security and governance findings — updated every morning.
Open the feed →