A vulnerability was found in zhayujie CowAgent up to 2.1.1. It has been declared as critical. This affects the function
WebFetch.execute of the file agent/tools/web_fetch/web_fetch.py. Executing a manipulation of the argument url can lead to server-side request forgery.
This vulnerability appears as CVE-2026-16194. The attack may be performed from remote. In addition, an exploit is available.
It is recommended to upgrade the affected component.
The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product.