OpenClaw (npm), SSRF, CVE-2026-XXXXX (High)

Listen to this Post

In affected versions of the `openclaw` npm package prior to 2026.2.2, a server-side request forgery (SSRF) vulnerability existed in the media attachment handling. When processing media URLs for attachments or auto-replies, the application performed a raw HTTP fetch without any SSRF protections. An attacker who could influence these URLs could craft a request targeting internal endpoints such as 127.0.0.1, RFC1918 private addresses, or cloud metadata services. The gateway would fetch the URL and return the response bytes as an attachment, exfiltrating internal data. The fix in version 2026.2.2 implements SSRF guards including private IP blocking, DNS pinning, and redirect validation .
Platform: npm package
Version: <2026.2.2
Vulnerability : SSRF
Severity: High
date: 2026-02-05

Prediction: Patched already

What Undercode Say

Analytics

The vulnerability allows attackers to force OpenClaw to make HTTP requests to internal or restricted network targets. Exploitation requires attacker-controlled invocation of the Image tool or any surface that forwards untrusted media URLs into tool calls. Remote fetches are GET-only with no custom headers, limiting impact to endpoints returning image content. Despite constraints, SSRF enables internal network probing and access to unauthenticated internal endpoints .

Commands

Check installed version
npm list openclaw
Update to patched version
npm install [email protected]
Verify fix commit
git log --oneline | grep -E "81c68f5|9bd64c8"
Test SSRF protection (if applicable)
curl -X POST https://your-openclaw-instance/api/media \
-H "Content-Type: application/json" \
-d '{"url":"http://127.0.0.1:9999/secret.txt"}'

Exploit

Attackers craft media URLs targeting internal endpoints:

http://127.0.0.1:9999/secret.txt
http://169.254.169.254/latest/meta-data/
http://192.168.1.1/admin

On vulnerable versions, the gateway fetches these URLs and returns response bytes as attachments.

Protection from this CVE

  • Upgrade to openclaw >=2026.2.2 immediately
  • Verify SSRF guards are active (private IP blocking, DNS pinning)
  • Review logs for suspicious fetch attempts to internal addresses
  • Implement network segmentation limiting gateway access
  • Audit any custom integrations using media URL handling

Impact

  • Information disclosure from internal services
  • Internal network scanning and reconnaissance
  • Cloud metadata endpoint access
  • Potential chaining with other vulnerabilities
  • No direct code execution or shell access

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top