CVE-2026-26322 Overview
CVE-2026-26322 is a Server-Side Request Forgery (SSRF) vulnerability in OpenClaw, a personal AI assistant application. Prior to version 2026.2.14, the Gateway tool accepted a tool-supplied gatewayUrl parameter without sufficient restrictions, allowing attackers to instruct the OpenClaw host to initiate outbound WebSocket connections to arbitrary user-specified targets. This could enable network reconnaissance, access to internal services, and potential interaction with cloud metadata endpoints.
Critical Impact
Authenticated operators or trusted automation systems can manipulate the OpenClaw host to probe internal network resources, access localhost services, and potentially interact with cloud metadata APIs through unrestricted WebSocket connections.
Affected Products
- OpenClaw versions prior to 2026.2.14
Discovery Timeline
- 2026-02-19 - CVE CVE-2026-26322 published to NVD
- 2026-02-19 - Last updated in NVD database
Technical Details for CVE-2026-26322
Vulnerability Analysis
This vulnerability stems from insufficient input validation in OpenClaw's Gateway tool when processing the gatewayUrl parameter. The Gateway WebSocket client accepted URL overrides from tool calls without implementing proper validation or allowlisting mechanisms. When a malicious actor with appropriate access invokes tools that accept gatewayUrl overrides, they can redirect the OpenClaw host's WebSocket connections to arbitrary destinations.
The attack surface is limited to authenticated operators, trusted automation systems, or environments where tool calls are explicitly exposed to non-operators. This is not exploitable by arbitrary internet users unless a deployment specifically allows untrusted users to trigger these tool calls.
Root Cause
The root cause is classified under CWE-918 (Server-Side Request Forgery). The Gateway WebSocket client implementation lacked proper URL validation, allowing tool-supplied gatewayUrl values to flow directly into connection logic without checking for disallowed protocols, credential inclusion, restricted paths, or private network destinations.
Attack Vector
The attack vector is network-based and requires low-privilege authenticated access. An attacker capable of invoking Gateway tool calls can supply malicious gatewayUrl values targeting sensitive endpoints including:
- Localhost services - Access to local services running on the OpenClaw host
- Private network addresses - Probing internal network infrastructure
- Cloud metadata endpoints - Targeting cloud provider metadata APIs (e.g., 169.254.169.254) for credential harvesting
- WebSocket-enabled services - Full bidirectional interaction with reachable WebSocket endpoints
If the target endpoint is reachable and speaks WebSocket protocol, further interaction beyond simple connection attempts becomes possible, potentially enabling data exfiltration or service manipulation.
Detection Methods for CVE-2026-26322
Indicators of Compromise
- Unexpected outbound WebSocket connection attempts from OpenClaw host systems to internal IP ranges or localhost
- Connection attempts to cloud metadata IP addresses (e.g., 169.254.169.254, fd00:ec2::254)
- Gateway tool invocations containing non-standard gatewayUrl parameters in application logs
- Unusual error patterns or timeouts related to Gateway WebSocket connections
Detection Strategies
- Monitor network traffic from OpenClaw hosts for WebSocket connections to non-gateway endpoints
- Implement logging and alerting on tool calls that include gatewayUrl parameter overrides
- Review application logs for Gateway connection errors indicating SSRF attempts
- Deploy network segmentation rules to restrict OpenClaw host outbound connectivity
Monitoring Recommendations
- Enable verbose logging for Gateway tool operations to capture URL parameters
- Configure network monitoring to alert on connections to private IP ranges from application servers
- Implement egress filtering to restrict outbound WebSocket connections to known gateway endpoints
- Audit tool call permissions to identify over-privileged automation or operator accounts
How to Mitigate CVE-2026-26322
Immediate Actions Required
- Upgrade OpenClaw to version 2026.2.14 or later immediately
- Review and restrict tool call permissions to minimize exposure to untrusted users
- Audit existing configurations to identify deployments that may expose tool calls to non-operators
- Implement network-level egress controls to restrict outbound connections from OpenClaw hosts
Patch Information
The vulnerability is addressed in OpenClaw version 2026.2.14. The fix implements strict validation of tool-supplied gatewayUrl overrides, restricting them to loopback addresses (on the configured gateway port) or the configured gateway.remote.url. The patch also rejects disallowed protocols, embedded credentials, query parameters, hash fragments, and non-root paths.
For detailed patch information, refer to the GitHub Security Advisory GHSA-g6q9-8fvw-f7rf and the GitHub commit implementing the fix.
Workarounds
- Restrict tool call access to trusted operators only until patching is complete
- Implement network-level egress filtering to block connections to internal networks and cloud metadata endpoints
- Configure firewall rules to limit OpenClaw host outbound connectivity to known gateway URLs
- Deploy a reverse proxy or application gateway with URL validation in front of OpenClaw deployments
# Example network egress restriction (iptables)
# Block connections to cloud metadata endpoints
iptables -A OUTPUT -d 169.254.169.254 -j DROP
iptables -A OUTPUT -d fd00:ec2::254 -j DROP
# Restrict outbound connections to approved gateway only
iptables -A OUTPUT -p tcp --dport 443 -d your-gateway-host.example.com -j ACCEPT
iptables -A OUTPUT -p tcp --dport 443 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
