Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-35673

CVE-2026-35673: Openclaw SSRF Policy Bypass Vulnerability

CVE-2026-35673 is an SSRF policy bypass vulnerability in Openclaw that allows attackers to reuse blocked tabs and access protected content. This article covers the technical details, affected versions, and mitigation strategies.

Published:

CVE-2026-35673 Overview

CVE-2026-35673 is a Server-Side Request Forgery (SSRF) policy bypass vulnerability in OpenClaw versions before 2026.4.29. The flaw exists in browser debug and export routes that permit reuse of already-open blocked tabs. Authenticated attackers with access to these routes can reuse blocked tabs to export or inspect content that private-network SSRF policies are designed to protect. The issue is tracked under CWE-863: Incorrect Authorization.

Critical Impact

Attackers can bypass private-network SSRF controls and exfiltrate content from internal resources by reusing blocked browser tabs through debug and export endpoints.

Affected Products

  • OpenClaw (Node.js distribution) versions prior to 2026.4.29
  • Deployments exposing browser debug routes
  • Deployments exposing browser export routes

Discovery Timeline

  • 2026-05-29 - CVE-2026-35673 published to NVD
  • 2026-06-01 - Last updated in NVD database

Technical Details for CVE-2026-35673

Vulnerability Analysis

OpenClaw enforces SSRF policies intended to prevent server-side requests against private network ranges. The browser debug and export routes manage tabs that the policy engine may flag as blocked. The vulnerability arises because these routes accept references to already-open tabs without re-evaluating the SSRF policy at the point of reuse. An attacker who can open a tab and observe that it is blocked can subsequently invoke the debug or export route against that same tab to read its contents or trigger an export action.

This is an authorization failure rather than a missing filter. The initial policy decision is enforced, but the same decision is not re-applied when previously blocked tabs are referenced again. As a result, the SSRF protection becomes a one-shot control that can be bypassed by reusing state the server still holds.

Root Cause

The root cause is incorrect authorization in the tab reuse flow. The debug and export routes trust the existence of a tab handle rather than re-validating that the underlying target URL is permitted by the SSRF policy. Refer to the GitHub Security Advisory GHSA-hcm3-8f6r-6xwg for the maintainer description.

Attack Vector

Exploitation requires network access to the OpenClaw instance, low-level privileges to invoke the affected routes, and user interaction as modeled in the CVSS vector. The attacker first triggers a navigation that the SSRF policy blocks, then reuses the resulting tab through the debug or export route to retrieve or act on the protected content. Technical details are available in the VulnCheck SSRF Policy Bypass Advisory.

Detection Methods for CVE-2026-35673

Indicators of Compromise

  • Requests to OpenClaw browser debug routes referencing tab identifiers that previously returned SSRF policy denials.
  • Export route invocations targeting tabs whose initial navigation was blocked by policy.
  • Outbound HTTP requests from the OpenClaw host to RFC1918 ranges, loopback, or cloud metadata endpoints such as 169.254.169.254.

Detection Strategies

  • Correlate SSRF policy denial events with subsequent successful debug or export operations against the same tab identifier within a short time window.
  • Audit OpenClaw application logs for repeated access to debug and export endpoints by the same low-privilege account.
  • Compare destination hosts in browser navigation logs against the configured SSRF allowlist to surface drift.

Monitoring Recommendations

  • Forward OpenClaw access and policy decision logs to a centralized log platform for retention and search.
  • Alert on any access to debug routes in production deployments where debug functionality should be disabled.
  • Track egress traffic from OpenClaw hosts to internal subnets and flag deviations from baseline destinations.

How to Mitigate CVE-2026-35673

Immediate Actions Required

  • Upgrade OpenClaw to version 2026.4.29 or later on all affected deployments.
  • Restrict access to browser debug and export routes to trusted administrators only.
  • Revoke and reissue credentials for low-privilege accounts that had access to the affected routes during the exposure window.
  • Review historical logs for evidence of tab reuse against blocked targets.

Patch Information

The vulnerability is fixed in OpenClaw 2026.4.29. Apply the upgrade as documented in the GitHub Security Advisory GHSA-hcm3-8f6r-6xwg. Verify the deployed package version after upgrade and restart the service to ensure the patched code path is active.

Workarounds

  • Disable the browser debug route in production configurations until the upgrade is applied.
  • Block network egress from the OpenClaw host to private network ranges and cloud metadata services at the firewall layer.
  • Place OpenClaw behind a reverse proxy that enforces an allowlist of permitted destination hosts for outbound requests.
bash
# Example egress restriction using iptables to block RFC1918 and metadata endpoints
iptables -A OUTPUT -m owner --uid-owner openclaw -d 10.0.0.0/8 -j REJECT
iptables -A OUTPUT -m owner --uid-owner openclaw -d 172.16.0.0/12 -j REJECT
iptables -A OUTPUT -m owner --uid-owner openclaw -d 192.168.0.0/16 -j REJECT
iptables -A OUTPUT -m owner --uid-owner openclaw -d 169.254.169.254/32 -j REJECT

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne