CVE-2026-24231: CWE-918 Server-Side Request Forgery (SSRF) in NVIDIA NemoClaw
NVIDIA NemoClaw has a server-side request forgery (SSRF) vulnerability in the validateEndpointUrl() component. An attacker can supply a crafted endpoint URL referencing the 0.0.0.0/8 address range via a blueprint configuration file or CLI flag to trigger the SSRF. Exploiting this vulnerability may lead to information disclosure. The issue affects all versions prior to v0.0.13. There is currently no official patch or remediation guidance available from the vendor.
AI Analysis
Technical Summary
CVE-2026-24231 is a CWE-918 SSRF vulnerability in NVIDIA NemoClaw's validateEndpointUrl() function. The vulnerability allows an attacker to cause the server to make unauthorized requests by providing a specially crafted endpoint URL that targets the 0.0.0.0/8 IP address range. This can be done through a blueprint configuration file or a command-line interface flag. Successful exploitation may result in information disclosure. The vulnerability affects all versions before v0.0.13. No patch or official fix has been published as of the data available.
Potential Impact
The vulnerability enables an attacker to perform SSRF attacks that may disclose sensitive information from the affected system. The CVSS vector indicates the attack requires local access with low complexity and user interaction, but it can lead to high confidentiality impact. There is no indication of integrity or availability impact. No known exploits are reported in the wild at this time.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since no official fix or patch is currently available, users should avoid using versions prior to v0.0.13 if possible and monitor NVIDIA's advisories for updates. Restricting access to the affected component and validating input URLs carefully may reduce risk, but these are general mitigations and not vendor-confirmed.
CVE-2026-24231: CWE-918 Server-Side Request Forgery (SSRF) in NVIDIA NemoClaw
Description
NVIDIA NemoClaw has a server-side request forgery (SSRF) vulnerability in the validateEndpointUrl() component. An attacker can supply a crafted endpoint URL referencing the 0.0.0.0/8 address range via a blueprint configuration file or CLI flag to trigger the SSRF. Exploiting this vulnerability may lead to information disclosure. The issue affects all versions prior to v0.0.13. There is currently no official patch or remediation guidance available from the vendor.
CVSS v3.1
Score 6.3medium
Affected software
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-24231 is a CWE-918 SSRF vulnerability in NVIDIA NemoClaw's validateEndpointUrl() function. The vulnerability allows an attacker to cause the server to make unauthorized requests by providing a specially crafted endpoint URL that targets the 0.0.0.0/8 IP address range. This can be done through a blueprint configuration file or a command-line interface flag. Successful exploitation may result in information disclosure. The vulnerability affects all versions before v0.0.13. No patch or official fix has been published as of the data available.
Potential Impact
The vulnerability enables an attacker to perform SSRF attacks that may disclose sensitive information from the affected system. The CVSS vector indicates the attack requires local access with low complexity and user interaction, but it can lead to high confidentiality impact. There is no indication of integrity or availability impact. No known exploits are reported in the wild at this time.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since no official fix or patch is currently available, users should avoid using versions prior to v0.0.13 if possible and monitor NVIDIA's advisories for updates. Restricting access to the affected component and validating input URLs carefully may reduce risk, but these are general mitigations and not vendor-confirmed.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- nvidia
- Date Reserved
- 2026-01-21T19:09:37.972Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69f1649fcbff5d861047eec1
Added to database: 4/29/2026, 1:53:35 AM
Last enriched: 5/6/2026, 2:13:19 AM
Last updated: 6/13/2026, 12:50:41 AM
Views: 63
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.