Listen to this Post
The vulnerability arises because openclaw’s browser snapshot, screenshot, and tab routes do not re-validate the final browser target after a page navigation triggered by the route itself. An authenticated attacker can call these routes, causing the browser to navigate to an internal or otherwise restricted URL. The original SSRF (Server-Side Request Forgery) policy is only checked at the start of the request, not after navigation. If the initial page is allowed but a subsequent redirect or client-side navigation leads to a forbidden internal page (e.g., 127.0.0.1, metadata endpoint), the content of that internal page is captured and returned via snapshot or screenshot. This bypasses the restrictive browser SSRF configuration. The issue exists because the browser tool’s state is not re-evaluated against the policy after asynchronous navigation events. The fix introduces a second validation step: after the route-driven navigation completes, the final target URL is re-checked against the SSRF blocklist before returning any page content to the caller. Regression tests now cover snapshot, screenshot, and tab-route flows to ensure the re-validation triggers correctly. Without this, internal services behind the same openclaw instance could be scanned or exfiltrated. The vulnerability affects all versions prior to 2026.4.14. The patch commit b75ad800a59009fc47eaa3471410f69046150e59 in PR 66040 hardens the browser tool’s post-navigation checks.
dailycve form:
Platform: npm openclaw
Version: <2026.4.14
Vulnerability: SSRF post-navigation
Severity: Medium
date: 2026-04-17
Prediction: 2026-04-14
What Undercode Say:
Check vulnerable version
npm list openclaw | grep openclaw
Simulate SSRF attempt (conceptual)
curl -X POST http://localhost:3000/api/browser/snapshot \
-H "Authorization: Bearer $TOKEN" \
-d '{"url":"https://trusted.site","navigateTo":"http://169.254.169.254/latest/meta-data/"}'
Verify fix applied
npm install [email protected]
git show b75ad800a59009fc47eaa3471410f69046150e59
Exploit:
Authenticated attacker sends snapshot request with allowed start URL, then forces navigation to internal IP via route parameter or injected script; internal page content (e.g., AWS metadata) is returned in snapshot/screenshot before fix.
Protection from this CVE:
Upgrade to openclaw >=2026.4.14. If cannot upgrade, enforce strict browser policy with manual post-navigation checks or disable snapshot/screenshot routes for untrusted users.
Impact:
Exposure of internal services, cloud metadata, or localhost resources; information disclosure leading to privilege escalation or further attacks in restrictive SSRF configurations.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

