Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
6.1
OpenClaw's web tools may bypass DNS pinning with proxy settings
GHSA-8mvx-p2r9-r375
CVE-2026-22181
Summary
If you're using OpenClaw's web tools and proxy settings, an attacker could potentially access internal or private targets. This is because the tool's strict URL checks aren't enough to prevent proxy routing. To fix this, update OpenClaw to version 2026.3.2 or later.
What to do
- Update steipete openclaw to version 2026.3.2.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| steipete | openclaw | <= 2026.3.2 | 2026.3.2 |
Original title
OpenClaw versions prior to 2026.3.2 contain a DNS pinning bypass vulnerability in strict URL fetch paths that allows attackers to circumvent SSRF guards when environment proxy variables are configu...
Original description
OpenClaw versions prior to 2026.3.2 contain a DNS pinning bypass vulnerability in strict URL fetch paths that allows attackers to circumvent SSRF guards when environment proxy variables are configured. When HTTP_PROXY, HTTPS_PROXY, or ALL_PROXY environment variables are present, attacker-influenced URLs can be routed through proxy behavior instead of pinned-destination routing, enabling access to internal targets reachable from the proxy environment.
osv CVSS3.1
7.6
Vulnerability type
CWE-367
CWE-918
Server-Side Request Forgery (SSRF)
Published: 18 Mar 2026 · Updated: 18 Mar 2026 · First seen: 18 Mar 2026