CVE-2026-24231 PUBLISHED

Assigner: nvidia
Reserved: 21.01.2026 Published: 28.04.2026 Updated: 28.04.2026

NVIDIA NemoClaw contains a vulnerability in the validateEndpointUrl() SSRF protection component, where an attacker could cause a server-side request forgery by supplying a crafted endpoint URL referencing the 0.0.0.0/8 address range through a blueprint configuration file or CLI flag. A successful exploit of this vulnerability may lead to information disclosure.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N
CVSS Score: 6.3

Attack Vector	Local	Scope	Changed
Attack Complexity	Low	Confidentiality Impact	High
Privileges Required	None	Integrity Impact	None
User Interaction	Required	Availability Impact	None

CVSS 3.1

Product Status

Vendor	NVIDIA
Product	NemoClaw
Versions	Default: unaffected Version All versions prior to v0.0.13 is affected

References

https://nvd.nist.gov/vuln/detail/CVE-2026-24231
https://www.cve.org/CVERecord?id=CVE-2026-24231
https://nvidia.custhelp.com/app/answers/detail/a_id/5837

Problem Types

CWE-918 Server-Side Request Forgery (SSRF) CWE

Impacts

Information disclosure