OpenClaw (npm), Server-Side Request Forgery (SSRF), CVE-2026-1234 (Medium)

Listen to this Post

The Tlon (Urbit) extension in OpenClaw versions up to 2026.2.13 accepted a user-provided base URL for authentication. The application used this unvalidated input to construct and send an outbound HTTP request. An attacker with the ability to influence this configured URL could manipulate it to point to internal or private network addresses, such as 127.0.0.1 or 169.254.169.254 . This forced the OpenClaw server to make a request to the attacker-specified host, leading to Server-Side Request Forgery (SSRF). The vulnerability existed because the extension did not validate or sanitize the URL before making the request, allowing access to internal services that should have been protected from external access. The issue was fixed in version 2026.2.14 by implementing URL validation, normalization, and a default-deny SSRF guard for private hosts .
Platform: openclaw npm
Version: <=2026.2.13
Vulnerability: SSRF
Severity: Medium
date: 2026-02-18

Prediction: 2026-02-25

What Undercode Say:

Analytics

  • Package: `openclaw` on npm
  • Total Downloads: ~2.28 million downloads per month
  • Affected Version Range: All versions from 0.0.1 up to 2026.2.13 inclusive
  • Fix Commit: `bfa7d21e997baa8e3437657d59b1e296815cc1b1`
    – Patched Version: `2026.2.14`

Bash Commands & Code Analysis

Check installed version
npm list openclaw
Update to patched version
npm install [email protected]
Verify the fix commit in local installation
npm view [email protected] dist.tarball | xargs curl -s | tar -tz | grep ssrf.ts
Check if your configuration uses the vulnerable Tlon extension
grep -r "tlon" ~/.openclaw/config/

How Exploit:

An attacker would need to influence the Urbit URL configuration. If they can set this value (e.g., via a configuration endpoint or social engineering), they can change it to:
– `http://127.0.0.1:8080/admin` (access local services)
– `http://169.254.169.254/latest/meta-data/` (AWS metadata endpoint)
– `http://internal.corp.service/db_backup`

Protection from this CVE

  • Immediate: Upgrade to `[email protected]` or later
  • Configuration: If private network access is absolutely required, explicitly set `channels.tlon.allowPrivateNetwork: true` after understanding the risks
  • Network Segmentation: Ensure OpenClaw instances are not exposed to untrusted users who can modify extension configurations

Impact

  • Confidentiality: An attacker could read data from internal services not intended for external access, such as cloud metadata or internal dashboards
  • Integrity: Limited direct impact, though SSRF can be chained with other vulnerabilities to modify internal state
  • Availability: Potential to cause denial of service by hitting internal endpoints with high request volumes
  • Attack Vector: Network-based, requiring ability to influence the Urbit URL configuration
  • Scope: Internal network probing and access to unauthenticated internal HTTP endpoints

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top