Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
7.6
OpenClaw's web tools may bypass DNS pinning with proxy setup
GHSA-8mvx-p2r9-r375
Summary
Using environment proxy settings with OpenClaw's web tools can allow attackers to bypass DNS pinning, potentially accessing internal or private targets. This issue affects versions of OpenClaw up to 2026.3.1. To fix this, update to version 2026.3.2 or later.
What to do
- Update openclaw to version 2026.3.2.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | openclaw | <= 2026.3.1 | 2026.3.2 |
Original title
OpenClaw's web tools strict URL guard could lose DNS pinning when env proxy is configured
Original description
### Summary
`openclaw` web tools strict URL fetch paths could lose DNS pinning when environment proxy variables are configured (`HTTP_PROXY`/`HTTPS_PROXY`/`ALL_PROXY`, including lowercase variants).
In affected builds, strict URL checks (for example `web_fetch` and citation redirect resolution) validated one destination during SSRF guard checks, but runtime connection routing could proceed through an env-proxy dispatcher.
### Affected Packages / Versions
- Package: `openclaw` (npm)
- Vulnerable version range: `<= 2026.3.1`
- Latest published npm version at triage time (2026-03-02): `2026.3.1`
- Patched versions: `>= 2026.3.2` (released)
### Technical Details
The SSRF guard performed hostname resolution and policy checks, then selected a request dispatcher.
When env proxy settings were present, strict web-tool flows could use `EnvHttpProxyAgent` instead of the DNS-pinned dispatcher. This created a destination-binding gap between check-time resolution and connect-time routing.
The fix keeps DNS pinning on strict/untrusted web-tool URL paths and limits env-proxy bypass behavior to trusted/operator-controlled endpoints via an explicit dangerous opt-in.
### Impact
In deployments with env proxy variables configured, attacker-influenced URLs from web tools could be routed through proxy behavior instead of strict pinned-destination routing, which could allow access to internal/private targets reachable from that proxy environment.
### Mitigations
Before upgrading, operators can reduce exposure by clearing proxy env vars for OpenClaw runtime processes or disabling `web_fetch` / `web_search` where untrusted URL input is possible.
### Fix Commit(s)
- `345abf0b2e0f43b0f229e96f252ebf56f1e5549e`
`openclaw` web tools strict URL fetch paths could lose DNS pinning when environment proxy variables are configured (`HTTP_PROXY`/`HTTPS_PROXY`/`ALL_PROXY`, including lowercase variants).
In affected builds, strict URL checks (for example `web_fetch` and citation redirect resolution) validated one destination during SSRF guard checks, but runtime connection routing could proceed through an env-proxy dispatcher.
### Affected Packages / Versions
- Package: `openclaw` (npm)
- Vulnerable version range: `<= 2026.3.1`
- Latest published npm version at triage time (2026-03-02): `2026.3.1`
- Patched versions: `>= 2026.3.2` (released)
### Technical Details
The SSRF guard performed hostname resolution and policy checks, then selected a request dispatcher.
When env proxy settings were present, strict web-tool flows could use `EnvHttpProxyAgent` instead of the DNS-pinned dispatcher. This created a destination-binding gap between check-time resolution and connect-time routing.
The fix keeps DNS pinning on strict/untrusted web-tool URL paths and limits env-proxy bypass behavior to trusted/operator-controlled endpoints via an explicit dangerous opt-in.
### Impact
In deployments with env proxy variables configured, attacker-influenced URLs from web tools could be routed through proxy behavior instead of strict pinned-destination routing, which could allow access to internal/private targets reachable from that proxy environment.
### Mitigations
Before upgrading, operators can reduce exposure by clearing proxy env vars for OpenClaw runtime processes or disabling `web_fetch` / `web_search` where untrusted URL input is possible.
### Fix Commit(s)
- `345abf0b2e0f43b0f229e96f252ebf56f1e5549e`
ghsa CVSS3.1
7.6
Vulnerability type
CWE-367
CWE-918
Server-Side Request Forgery (SSRF)
Published: 3 Mar 2026 · Updated: 7 Mar 2026 · First seen: 6 Mar 2026