Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
6.9
OpenClaw Cron Webhook May Expose Internal Server Data
CVE-2026-27488
GHSA-w45g-5746-x9fp
Summary
The OpenClaw npm package's cron webhook feature allows unauthorized access to internal server data. This could happen if an attacker sends a malicious request to the webhook. Update OpenClaw to version 2026.2.18 or later to fix this issue.
What to do
- Update steipete openclaw to version 2026.2.19.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| steipete | openclaw | <= 2026.2.17 | 2026.2.19 |
| openclaw | openclaw | <= 2026.2.17 | – |
Original title
OpenClaw hardened cron webhook delivery against SSRF
Original description
## Affected Packages / Versions
- `openclaw` npm package versions `<= 2026.2.17`.
## Vulnerability
Cron webhook delivery in `src/gateway/server-cron.ts` used `fetch()` directly, so webhook targets could reach private/metadata/internal endpoints without SSRF policy checks.
## Fix Commit(s)
- `99db4d13e`
- `35851cdaf`
Thanks @Adam55A-code for reporting.
- `openclaw` npm package versions `<= 2026.2.17`.
## Vulnerability
Cron webhook delivery in `src/gateway/server-cron.ts` used `fetch()` directly, so webhook targets could reach private/metadata/internal endpoints without SSRF policy checks.
## Fix Commit(s)
- `99db4d13e`
- `35851cdaf`
Thanks @Adam55A-code for reporting.
nvd CVSS3.1
7.3
nvd CVSS4.0
6.9
Vulnerability type
CWE-918
Server-Side Request Forgery (SSRF)
- https://nvd.nist.gov/vuln/detail/CVE-2026-27488
- https://github.com/advisories/GHSA-w45g-5746-x9fp
- https://github.com/openclaw/openclaw/commit/99db4d13e5c139883ef0def9ff963e927317... Patch
- https://github.com/openclaw/openclaw/releases/tag/v2026.2.19 Release Notes
- https://github.com/openclaw/openclaw/security/advisories/GHSA-w45g-5746-x9fp Vendor Advisory
Published: 20 Feb 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026