Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-43527

CVE-2026-43527: Openclaw SSRF Vulnerability

CVE-2026-43527 is a server-side request forgery flaw in Openclaw that enables attackers to access internal services through browser-driven requests. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2026-43527 Overview

CVE-2026-43527 is a Server-Side Request Forgery (SSRF) vulnerability in OpenClaw before version 2026.4.14. The flaw resides in the browser extension's SSRF policy logic, which permits private-network navigation by default. Attackers with low-privileged access can leverage browser-driven requests to reach internal services or cloud metadata endpoints that should be unreachable from external contexts. The issue is tracked under [CWE-918] and stems from configuration logic in extensions/browser/src/browser/config.ts that fails to honor explicit strict SSRF settings. The vulnerability affects deployments using OpenClaw on Node.js.

Critical Impact

Attackers can pivot through OpenClaw browser sessions to reach private-network services, internal APIs, and cloud metadata endpoints, exposing sensitive infrastructure data.

Affected Products

  • OpenClaw (openclaw:openclaw) versions prior to 2026.4.14
  • Node.js-based deployments of OpenClaw browser extensions
  • Applications embedding OpenClaw's browser SSRF policy module

Discovery Timeline

  • 2026-05-05 - CVE-2026-43527 published to NVD
  • 2026-05-07 - Last updated in NVD database

Technical Details for CVE-2026-43527

Vulnerability Analysis

The vulnerability originates in OpenClaw's browser configuration resolver. The function constructs SSRF policy options for the underlying browser engine and decides whether to set the dangerouslyAllowPrivateNetwork flag. In the unpatched code, the resolver only emits the flag when private-network navigation is explicitly enabled. It silently drops the flag when a caller passes an explicit false to enforce strict SSRF protection. The downstream browser library then falls back to its default behavior, which permits private-network navigation. This default-allow gap converts a developer's explicit hardening attempt into a permissive runtime configuration.

Root Cause

The root cause is incomplete handling of explicit boolean values in the SSRF configuration merge logic. The original conditional only forwarded the option when resolvedAllowPrivateNetwork was truthy. It ignored the case where dangerouslyAllowPrivateNetwork === false or the legacy alias allowPrivateNetwork === false was supplied. As a result, strict configurations were dropped before reaching the browser engine.

Attack Vector

An authenticated attacker who can submit URLs or trigger browser navigations through OpenClaw can request internal addresses such as 127.0.0.1, 169.254.169.254, or RFC 1918 ranges. The browser session executes the navigation against private hosts and returns or acts on the response. The attack requires network access and low privileges and does not require user interaction.

typescript
// Patch from commit 1dabfef - preserve explicit strict SSRF config
  return {
-    ...(resolvedAllowPrivateNetwork ? { dangerouslyAllowPrivateNetwork: true } : {}),
+    ...(resolvedAllowPrivateNetwork || dangerouslyAllowPrivateNetwork === false
+      ? { dangerouslyAllowPrivateNetwork: resolvedAllowPrivateNetwork }
+      : {}),
     ...(allowedHostnames ? { allowedHostnames } : {}),
     ...(hostnameAllowlist ? { hostnameAllowlist } : {}),
   };

Source: GitHub Commit 1dabfef

typescript
// Patch from commit 213c36c - preserve legacy strict SSRF alias
  return {
-    ...(resolvedAllowPrivateNetwork || dangerouslyAllowPrivateNetwork === false
+    ...(resolvedAllowPrivateNetwork ||
+    dangerouslyAllowPrivateNetwork === false ||
+    allowPrivateNetwork === false
       ? { dangerouslyAllowPrivateNetwork: resolvedAllowPrivateNetwork }
       : {}),
     ...(allowedHostnames ? { allowedHostnames } : {}),

Source: GitHub Commit 213c36c

Detection Methods for CVE-2026-43527

Indicators of Compromise

  • Outbound browser navigations from OpenClaw hosts to RFC 1918 addresses (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16).
  • Requests to cloud metadata endpoints such as 169.254.169.254 or metadata.google.internal originating from the OpenClaw process.
  • Loopback navigations targeting 127.0.0.1 or localhost on internal service ports.
  • Anomalous referer or origin headers in internal HTTP server logs tied to OpenClaw user agents.

Detection Strategies

  • Inspect OpenClaw runtime configuration for the absence of dangerouslyAllowPrivateNetwork: false and audit calling code for missing strict overrides.
  • Run version inventory queries against the openclaw package and flag any release earlier than 2026.4.14.
  • Correlate egress proxy logs with browser session identifiers to detect navigations to private CIDR ranges.

Monitoring Recommendations

  • Forward OpenClaw browser navigation events to a centralized log pipeline and alert on private-network destinations.
  • Apply egress filtering at the host or container level so that browser processes cannot reach cloud metadata services.
  • Track EPSS probability for CVE-2026-43527 over time and re-prioritize patching if exploitability rises.

How to Mitigate CVE-2026-43527

Immediate Actions Required

  • Upgrade OpenClaw to version 2026.4.14 or later, which contains the patches in commits 1dabfef, 213c36c, 024f461, and 7eecfa4.
  • Audit application code that initializes the OpenClaw browser to confirm that dangerouslyAllowPrivateNetwork: false is honored after the upgrade.
  • Restrict outbound network access from OpenClaw worker hosts to only the destinations the application requires.

Patch Information

The fix is published in GitHub Security Advisory GHSA-53vx-pmqw-863c. The patch updates extensions/browser/src/browser/config.ts so the resolver forwards explicit false values for both dangerouslyAllowPrivateNetwork and the legacy allowPrivateNetwork alias. Additional context is available in the VulnCheck SSRF Advisory.

Workarounds

  • Place OpenClaw browser workloads in a network segment that cannot route to internal services or cloud metadata endpoints.
  • Use an egress proxy with an allowlist of approved external hostnames and block all RFC 1918 and link-local destinations.
  • Configure host firewall rules to deny traffic from the OpenClaw process to 169.254.169.254 and other metadata service IPs.
  • Validate and normalize user-supplied URLs before passing them to OpenClaw, rejecting private addresses and DNS names that resolve to them.
bash
# Example egress firewall rules to block metadata and private ranges from OpenClaw containers
iptables -A OUTPUT -m owner --uid-owner openclaw -d 169.254.169.254 -j DROP
iptables -A OUTPUT -m owner --uid-owner openclaw -d 10.0.0.0/8 -j DROP
iptables -A OUTPUT -m owner --uid-owner openclaw -d 172.16.0.0/12 -j DROP
iptables -A OUTPUT -m owner --uid-owner openclaw -d 192.168.0.0/16 -j DROP

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.