Listen to this Post
The vulnerability arises because openclaw implements two types of browser interaction routes: “guarded” routes that enforce SSRF navigation policies (e.g., blocking requests to internal IPs, localhost, or metadata endpoints) and “existing‑session” routes that reuse a previously established browser context. When a user already has an active session (e.g., from a prior authenticated navigation), subsequent interactions or navigations via those existing‑session routes do not re‑apply the same SSRF navigation guard. An attacker who can lure a victim into an existing session – or who already controls a session through XSS or other means – can abuse these unguarded routes to make the victim’s browser send requests to arbitrary internal targets. The browser’s same‑origin policy does not block these requests because the session’s origin appears legitimate. For example, an attacker could issue a navigation command to http://169.254.169.254/latest/meta-data/ (AWS metadata) or to internal services like http://internal‑api/secret. Because the guard is missing, the request succeeds, leaking sensitive data or enabling further attacks. The root cause is a missing policy check in the navigation lifecycle for existing sessions. The fix, implemented in commit daeb74920d5ad986cb600625180037e23221e93a, ensures that all navigation and interaction routes – including those tied to existing sessions – pass through the same browser navigation policy checks before proceeding.
dailycve form:
Platform: npm openclaw
Version: <2026.4.10
Vulnerability: SSRF policy bypass
Severity: Critical
date: 2026-04-17
Prediction: 2026-04-10
What Undercode Say:
Check installed version npm list openclaw Upgrade to patched version npm install [email protected] Verify fix commit git show daeb74920d5ad986cb600625180037e23221e93a Example test (requires local setup) curl -X POST http://localhost:3000/api/session/navigate \ -H "Content-Type: application/json" \ -d '{"url":"http://169.254.169.254/latest/meta-data/"}' \ --cookie "session=existing"
Exploit:
Attacker obtains a valid session token (e.g., via phishing or XSS). Using that token, they call existing‑session browser interaction endpoints (e.g., `/api/session/{id}/navigate` or /api/session/{id}/click). The vulnerable versions do not check the target URL against SSRF blacklists, allowing the browser to access internal IPs, localhost, cloud metadata, or intranet services.
Protection from this CVE
Upgrade to openclaw >=2026.4.10. If immediate upgrade is impossible, manually apply the patch from commit daeb749 or disable existing‑session routes until patched. Also enforce outbound network policies at the firewall level to block unexpected internal requests.
Impact
An attacker can read internal metadata, interact with internal APIs, and potentially pivot to other internal systems using the victim’s browser as a proxy. This bypasses all SSRF protections that guarded routes rely on, leading to information disclosure and further compromise.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

