CVE-2026-28467 Overview
OpenClaw versions prior to 2026.2.2 contain a Server-Side Request Forgery (SSRF) vulnerability in the attachment and media URL hydration functionality. This flaw allows remote attackers to fetch arbitrary HTTP(S) URLs by influencing media URLs through model-controlled sendAttachment or auto-reply mechanisms. Successful exploitation enables SSRF attacks against internal resources, with the ability to exfiltrate fetched response bytes as outbound attachments.
Critical Impact
Attackers can leverage this SSRF vulnerability to probe internal network resources, access cloud metadata endpoints, and exfiltrate sensitive internal data through the application's attachment handling mechanism.
Affected Products
- OpenClaw versions prior to 2026.2.2
Discovery Timeline
- 2026-03-05 - CVE CVE-2026-28467 published to NVD
- 2026-03-05 - Last updated in NVD database
Technical Details for CVE-2026-28467
Vulnerability Analysis
This vulnerability is classified as CWE-918 (Server-Side Request Forgery). The SSRF condition exists in OpenClaw's handling of remote media fetches during attachment and URL hydration processes. The application failed to properly validate and restrict URLs before making server-side HTTP requests, allowing attackers to force the server to make requests to arbitrary internal or external destinations.
The attack surface is network-accessible and requires no authentication or user interaction. Attackers who can influence media URLs—whether through model-controlled sendAttachment functionality or auto-reply mechanisms—can trigger the vulnerable code path. The fetched response data is then returned as an outbound attachment, creating a data exfiltration channel.
Root Cause
The root cause stems from missing SSRF protection guards in the remote media fetch functionality. The vulnerable code paths in src/agents/tools/web-fetch.ts and src/agents/skills-install.ts processed URL requests without validating them against SSRF policies. This allowed requests to internal IP ranges, localhost, cloud metadata endpoints (such as 169.254.169.254), and other restricted destinations.
Attack Vector
The attack is network-based and exploits the media URL hydration process. An attacker crafts a malicious URL pointing to an internal resource and injects it into a context where the application will attempt to fetch and hydrate the media. The server-side fetch request bypasses client-side restrictions, allowing access to resources that would otherwise be unreachable from the attacker's position.
Attack scenarios include:
- Accessing cloud provider metadata endpoints to retrieve IAM credentials
- Scanning internal network services and ports
- Retrieving data from internal APIs and databases
- Bypassing firewall rules by using the server as a proxy
// Security patch implementing SSRF guards in fetch operations
// Source: https://github.com/openclaw/openclaw/commit/81c68f582d4a9a20d9cca9f367d2da9edc5a65ae
-import type { Dispatcher } from "undici";
import { Type } from "@sinclair/typebox";
import type { OpenClawConfig } from "../../config/config.js";
import type { AnyAgentTool } from "./common.js";
-import {
- closeDispatcher,
- createPinnedDispatcher,
- resolvePinnedHostname,
- SsrFBlockedError,
-} from "../../infra/net/ssrf.js";
+import { fetchWithSsrFGuard } from "../../infra/net/fetch-guard.js";
+import { SsrFBlockedError } from "../../infra/net/ssrf.js";
import { wrapExternalContent, wrapWebContent } from "../../security/external-content.js";
import { stringEnum } from "../schema/typebox.js";
import { jsonResult, readNumberParam, readStringParam } from "./common.js";
Source: GitHub Commit 81c68f5
The patch introduces a new fetchWithSsrFGuard wrapper function that validates URLs against an SSRF policy before allowing the fetch operation to proceed:
// New SSRF guard implementation
// Source: https://github.com/openclaw/openclaw/commit/81c68f582d4a9a20d9cca9f367d2da9edc5a65ae
+import type { Dispatcher } from "undici";
+import {
+ closeDispatcher,
+ createPinnedDispatcher,
+ resolvePinnedHostname,
+ resolvePinnedHostnameWithPolicy,
+ type LookupFn,
+ type SsrFPolicy,
+} from "./ssrf.js";
+
+type FetchLike = (input: RequestInfo | URL, init?: RequestInit) => Promise<Response>;
+
+export type GuardedFetchOptions = {
+ url: string;
+ fetchImpl?: FetchLike;
+ method?: string;
+ headers?: HeadersInit;
+ maxRedirects?: number;
+ timeoutMs?: number;
+ signal?: AbortSignal;
+ policy?: SsrFPolicy;
+ lookupFn?: LookupFn;
+};
+
+export type GuardedFetchResult = {
+ response: Response;
+ finalUrl: string;
+ release: () => Promise<void>;
+};
Source: GitHub Commit 81c68f5
Detection Methods for CVE-2026-28467
Indicators of Compromise
- Outbound HTTP/HTTPS requests to internal IP ranges (10.x.x.x, 172.16.x.x-172.31.x.x, 192.168.x.x) originating from the OpenClaw application
- Requests to cloud metadata endpoints such as 169.254.169.254 or metadata.google.internal
- Unusual attachment traffic containing responses from internal services
- Application logs showing fetch requests to non-public URLs through the media hydration functionality
Detection Strategies
- Monitor egress traffic from OpenClaw servers for requests to RFC 1918 private IP addresses and link-local addresses
- Implement network-level logging to detect HTTP requests to internal services from the application tier
- Review application logs for SsrFBlockedError exceptions which may indicate attempted exploitation on patched systems
- Deploy web application firewall rules to detect SSRF patterns in inbound requests
Monitoring Recommendations
- Enable verbose logging for the src/infra/net/ module to capture all remote fetch operations
- Set up alerts for outbound connections to metadata service endpoints across all cloud providers
- Monitor for anomalous data volumes in outbound attachments which may indicate data exfiltration
- Implement network segmentation monitoring to detect lateral movement attempts via SSRF
How to Mitigate CVE-2026-28467
Immediate Actions Required
- Upgrade OpenClaw to version 2026.2.2 or later immediately
- Review application logs for evidence of past exploitation attempts
- Audit any data that may have been exfiltrated through attachment mechanisms
- Restrict outbound network access from OpenClaw servers to only required external endpoints
Patch Information
The vulnerability has been addressed in commits 81c68f5 and 9bd64c8. These patches implement comprehensive SSRF guards using a new fetchWithSsrFGuard function that validates URLs against a configurable SSRF policy before allowing fetch operations. Additional details are available in the GitHub Security Advisory.
Workarounds
- Deploy network-level controls to block outbound requests to internal IP ranges from OpenClaw application servers
- Configure egress firewall rules to explicitly allow only required external domains
- If possible, disable the attachment and media URL hydration features until patching is complete
- Implement a reverse proxy with URL validation to intercept and filter potentially malicious requests
# Example: Network-level mitigation using iptables to block requests to internal ranges
# Apply to the server running OpenClaw
# Block requests to private IPv4 ranges
iptables -A OUTPUT -d 10.0.0.0/8 -m owner --uid-owner openclaw -j DROP
iptables -A OUTPUT -d 172.16.0.0/12 -m owner --uid-owner openclaw -j DROP
iptables -A OUTPUT -d 192.168.0.0/16 -m owner --uid-owner openclaw -j DROP
# Block cloud metadata endpoints
iptables -A OUTPUT -d 169.254.169.254 -m owner --uid-owner openclaw -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
