CVE-2026-28476 Overview
OpenClaw versions prior to 2026.2.14 contain a server-side request forgery (SSRF) vulnerability in the optional Tlon Urbit extension. The vulnerability exists because the extension accepts user-provided base URLs for authentication without proper validation. Attackers who can influence the configured Urbit URL can induce the gateway to make HTTP requests to arbitrary hosts, including internal network addresses.
Critical Impact
This SSRF vulnerability allows attackers to bypass network security controls and access internal services, potentially exposing sensitive data or enabling further attacks against backend infrastructure.
Affected Products
- OpenClaw versions prior to 2026.2.14
- OpenClaw Tlon Urbit Extension (when enabled)
Discovery Timeline
- 2026-03-05 - CVE-2026-28476 published to NVD
- 2026-03-05 - Last updated in NVD database
Technical Details for CVE-2026-28476
Vulnerability Analysis
This server-side request forgery vulnerability exists in the Tlon Urbit extension's authentication mechanism. The extension failed to validate or sanitize user-provided URLs before using them to make outbound HTTP requests. When a malicious URL is configured as the Urbit endpoint, the OpenClaw gateway can be coerced into making requests to attacker-controlled destinations or internal network resources that would otherwise be inaccessible from external networks.
The vulnerability is classified under CWE-918 (Server-Side Request Forgery), which occurs when a web application fetches a remote resource without sufficiently validating the user-supplied URL. This allows attackers to coerce the application to send crafted requests to unexpected destinations, even when protected by a firewall, VPN, or other network access control mechanisms.
Root Cause
The root cause of this vulnerability lies in insufficient URL validation in the Tlon extension's authentication flow. The original implementation directly accepted user-provided base URLs for Urbit connections without implementing allowlist validation or restrictions against private network address ranges. The fix introduces a new allowPrivateNetwork configuration option and moves authentication logic to a dedicated module with proper URL validation controls.
Attack Vector
The attack vector is network-based and requires the attacker to influence the Urbit URL configuration. An attacker could exploit this vulnerability to:
- Probe internal network infrastructure by targeting private IP ranges (e.g., 192.168.x.x, 10.x.x.x, 172.16.x.x)
- Access internal services running on localhost or internal hosts
- Enumerate internal services and ports
- Potentially exfiltrate data from internal systems
- Leverage the OpenClaw server as a proxy for further attacks
The security patch in extensions/tlon/src/channel.ts replaces the vulnerable connection mechanism:
import { tlonOnboardingAdapter } from "./onboarding.js";
import { formatTargetHint, normalizeShip, parseTlonTarget } from "./targets.js";
import { resolveTlonAccount, listTlonAccountIds } from "./types.js";
-import { ensureUrbitConnectPatched, Urbit } from "./urbit/http-api.js";
+import { authenticate } from "./urbit/auth.js";
+import { UrbitChannelClient } from "./urbit/channel-client.js";
import { buildMediaText, sendDm, sendGroupMessage } from "./urbit/send.js";
const TLON_CHANNEL_ID = "tlon" as const;
Source: GitHub Commit Update
The configuration schema was also updated to add explicit controls for private network access:
ship: ShipSchema.optional(),
url: z.string().optional(),
code: z.string().optional(),
+ allowPrivateNetwork: z.boolean().optional(),
groupChannels: z.array(ChannelNestSchema).optional(),
dmAllowlist: z.array(ShipSchema).optional(),
autoDiscoverChannels: z.boolean().optional(),
Source: GitHub Commit Update
Detection Methods for CVE-2026-28476
Indicators of Compromise
- Unusual outbound HTTP requests from the OpenClaw server to internal IP ranges or localhost
- Requests to unexpected external hosts originating from the Tlon extension
- Configuration changes to Urbit URL settings pointing to non-standard addresses
- Error logs indicating failed connections to internal services
Detection Strategies
- Monitor network traffic from OpenClaw instances for requests to internal/private IP ranges
- Implement URL allowlisting and log any connection attempts to non-approved domains
- Review Tlon extension configuration for suspicious URL values
- Set up alerts for outbound requests to RFC 1918 private address spaces
Monitoring Recommendations
- Enable detailed logging for all Tlon extension authentication attempts
- Configure network monitoring to alert on SSRF-pattern traffic from application servers
- Implement egress filtering and log violations at the network perimeter
- Periodically audit OpenClaw configuration files for unauthorized URL modifications
How to Mitigate CVE-2026-28476
Immediate Actions Required
- Upgrade OpenClaw to version 2026.2.14 or later immediately
- Review current Urbit URL configurations for any suspicious or unauthorized entries
- Audit network logs for evidence of exploitation or reconnaissance
- Restrict network egress from OpenClaw servers to required destinations only
Patch Information
The vulnerability has been addressed in OpenClaw version 2026.2.14. The fix introduces a dedicated authentication module with proper URL validation and adds an explicit allowPrivateNetwork configuration option that defaults to disabled. For detailed patch information, refer to the GitHub Security Advisory or the security commit.
Workarounds
- Disable the Tlon Urbit extension if not required until patching is possible
- Implement network-level controls to restrict outbound requests from OpenClaw servers
- Use a web application firewall (WAF) to filter requests containing private IP addresses
- Configure strict egress rules allowing only connections to known, trusted Urbit endpoints
# Configuration example - restrict network access for OpenClaw
# Add to OpenClaw Tlon extension configuration
# Ensure allowPrivateNetwork is explicitly set to false
allowPrivateNetwork: false
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
