A vulnerability was found in poco-ai poco-claw up to 0.5.4. It has been rated as critical. This issue affects the function
run_task of the file executor/app/api/v1/task.py. The manipulation of the argument callback_url leads to server-side request forgery.
This vulnerability is uniquely identified as CVE-2026-16016. The attack is possible to be carried out remotely. Moreover, an exploit is present.
The reported GitHub issue was closed automatically due to inactivity.