Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
7.6
OpenClaw Gateway tool allows malicious URLs from trusted users
CVE-2026-26322
GHSA-g6q9-8fvw-f7rf
Summary
Trusted users with special access to the OpenClaw Gateway tool can accidentally or maliciously make the tool connect to unauthorized websites. This can happen when users have more access than they need, and it can allow an attacker to test if a certain website is reachable. If you're using OpenClaw Gateway, update to the latest version to prevent this from happening.
What to do
- Update steipete openclaw to version 2026.2.14.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| steipete | openclaw | <= 2026.2.14 | 2026.2.14 |
| openclaw | openclaw | <= 2026.2.14 | – |
Original title
OpenClaw Gateway tool allowed unrestricted gatewayUrl override
Original description
## Summary
The Gateway tool accepted a tool-supplied `gatewayUrl` without sufficient restrictions, which could cause the OpenClaw host to attempt outbound WebSocket connections to user-specified targets.
## Affected Packages / Versions
- Package: `openclaw` (npm)
- Affected versions: `<= 2026.2.13`
- Patched versions: `>= 2026.2.14` (planned)
## What Is Needed To Trigger This
This requires the ability to invoke tools that accept `gatewayUrl` overrides (directly or indirectly). In typical setups this is limited to authenticated operators, trusted automation, or environments where tool calls are exposed to non-operators.
In other words, this is not a drive-by issue for arbitrary internet users unless a deployment explicitly allows untrusted users to trigger these tool calls.
## Details
Some tool call paths allowed `gatewayUrl` overrides to flow into the Gateway WebSocket client without validation or allowlisting. This meant the host could be instructed to attempt connections to non-gateway endpoints (for example, localhost services, private network addresses, or cloud metadata IPs).
## Impact
In the common case, this results in an outbound connection attempt from the OpenClaw host (and corresponding errors/timeouts). In environments where the tool caller can observe the results, this can also be used for limited network reachability probing. If the target speaks WebSocket and is reachable, further interaction may be possible.
## Fix
Tool-supplied `gatewayUrl` overrides are now restricted to loopback (on the configured gateway port) or the configured `gateway.remote.url`. Disallowed protocols, credentials, query/hash, and non-root paths are rejected.
## Fix Commit(s)
- c5406e1d2434be2ef6eb4d26d8f1798d718713f4
## Release Process Note
`patched_versions` is set to the planned next release. Once the npm release is published, the advisory can be published without further edits.
Thanks @p80n-sec for reporting.
The Gateway tool accepted a tool-supplied `gatewayUrl` without sufficient restrictions, which could cause the OpenClaw host to attempt outbound WebSocket connections to user-specified targets.
## Affected Packages / Versions
- Package: `openclaw` (npm)
- Affected versions: `<= 2026.2.13`
- Patched versions: `>= 2026.2.14` (planned)
## What Is Needed To Trigger This
This requires the ability to invoke tools that accept `gatewayUrl` overrides (directly or indirectly). In typical setups this is limited to authenticated operators, trusted automation, or environments where tool calls are exposed to non-operators.
In other words, this is not a drive-by issue for arbitrary internet users unless a deployment explicitly allows untrusted users to trigger these tool calls.
## Details
Some tool call paths allowed `gatewayUrl` overrides to flow into the Gateway WebSocket client without validation or allowlisting. This meant the host could be instructed to attempt connections to non-gateway endpoints (for example, localhost services, private network addresses, or cloud metadata IPs).
## Impact
In the common case, this results in an outbound connection attempt from the OpenClaw host (and corresponding errors/timeouts). In environments where the tool caller can observe the results, this can also be used for limited network reachability probing. If the target speaks WebSocket and is reachable, further interaction may be possible.
## Fix
Tool-supplied `gatewayUrl` overrides are now restricted to loopback (on the configured gateway port) or the configured `gateway.remote.url`. Disallowed protocols, credentials, query/hash, and non-root paths are rejected.
## Fix Commit(s)
- c5406e1d2434be2ef6eb4d26d8f1798d718713f4
## Release Process Note
`patched_versions` is set to the planned next release. Once the npm release is published, the advisory can be published without further edits.
Thanks @p80n-sec for reporting.
nvd CVSS3.1
7.6
Vulnerability type
CWE-918
Server-Side Request Forgery (SSRF)
- https://nvd.nist.gov/vuln/detail/CVE-2026-26322
- https://github.com/advisories/GHSA-g6q9-8fvw-f7rf
- https://github.com/openclaw/openclaw/commit/c5406e1d2434be2ef6eb4d26d8f1798d7187... Patch
- https://github.com/openclaw/openclaw/releases/tag/v2026.2.14 Product Release Notes
- https://github.com/openclaw/openclaw/security/advisories/GHSA-g6q9-8fvw-f7rf Patch Vendor Advisory
Published: 17 Feb 2026 · Updated: 11 Mar 2026 · First seen: 6 Mar 2026