Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
6.9
OpenClaw allows access to internal network targets via crafted URLs
GHSA-8cp7-rp8r-mg77
Summary
OpenClaw has a security weakness that can allow attackers to access internal network targets by tricking the system into thinking a crafted URL is coming from a different location. This can happen if a user enters a specially designed URL. To fix this issue, the OpenClaw developers have updated the system to better detect and block these types of URLs. You should update OpenClaw to the latest version, which is 2026.2.19.
What to do
- Update openclaw to version 2026.2.19.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | openclaw | > 2026.1.20 , <= 2026.2.19 | 2026.2.19 |
Original title
OpenClaw has SSRF guard bypass via IPv6 transition over ISATAP
Original description
## Summary
OpenClaw's SSRF hostname/IP guard did not detect ISATAP embedded IPv4 addresses (`...:5efe:w.x.y.z`). A crafted URL containing an ISATAP IPv6 literal could embed a private IPv4 target (for example loopback) and bypass private-address filtering in URL-fetching paths.
## Severity Assessment
Rated **medium**: the bug weakens SSRF protections in URL fetch flows, but impact depends on reaching a URL-fetching path with attacker-controlled input and is generally constrained to internal network access attempts.
## Affected Packages / Versions
- Package: `openclaw` (npm)
- Affected: `>=2026.1.20 <=2026.2.17`
- Latest published at patch time: `2026.2.17`
- Patched release: `2026.2.19`
## Security Policy Context
Per `SECURITY.md`, OpenClaw's web/gateway surface is intended for local use by default, public internet exposure is out-of-scope, and prompt-injection reports are out-of-scope for bounty handling. This advisory tracks a core SSRF-guard bypass in fetch protections.
## Impact
This can permit SSRF-style access attempts to internal/private network targets through URL ingestion/fetch paths that rely on shared hostname/IP blocking.
## Fix
- Added RFC 5214 ISATAP embedded-IPv4 detection to the shared SSRF classifier.
- Centralized hostname/IP blocking through `isBlockedHostnameOrIp` and routed relevant validators to that shared path.
- Added regression tests for ISATAP private vs public embedded IPv4 handling.
## Fix Commit(s)
- `d51929ecb52fe65e90bf36795f4247feb29eb8aa`
OpenClaw thanks @zpbrent for reporting.
OpenClaw's SSRF hostname/IP guard did not detect ISATAP embedded IPv4 addresses (`...:5efe:w.x.y.z`). A crafted URL containing an ISATAP IPv6 literal could embed a private IPv4 target (for example loopback) and bypass private-address filtering in URL-fetching paths.
## Severity Assessment
Rated **medium**: the bug weakens SSRF protections in URL fetch flows, but impact depends on reaching a URL-fetching path with attacker-controlled input and is generally constrained to internal network access attempts.
## Affected Packages / Versions
- Package: `openclaw` (npm)
- Affected: `>=2026.1.20 <=2026.2.17`
- Latest published at patch time: `2026.2.17`
- Patched release: `2026.2.19`
## Security Policy Context
Per `SECURITY.md`, OpenClaw's web/gateway surface is intended for local use by default, public internet exposure is out-of-scope, and prompt-injection reports are out-of-scope for bounty handling. This advisory tracks a core SSRF-guard bypass in fetch protections.
## Impact
This can permit SSRF-style access attempts to internal/private network targets through URL ingestion/fetch paths that rely on shared hostname/IP blocking.
## Fix
- Added RFC 5214 ISATAP embedded-IPv4 detection to the shared SSRF classifier.
- Centralized hostname/IP blocking through `isBlockedHostnameOrIp` and routed relevant validators to that shared path.
- Added regression tests for ISATAP private vs public embedded IPv4 handling.
## Fix Commit(s)
- `d51929ecb52fe65e90bf36795f4247feb29eb8aa`
OpenClaw thanks @zpbrent for reporting.
ghsa CVSS4.0
6.9
Vulnerability type
CWE-918
Server-Side Request Forgery (SSRF)
Published: 4 Mar 2026 · Updated: 7 Mar 2026 · First seen: 6 Mar 2026