CVE-2026-43527 Overview
CVE-2026-43527 is a Server-Side Request Forgery (SSRF) vulnerability in OpenClaw before version 2026.4.14. The flaw resides in the browser extension's SSRF policy logic, which permits private-network navigation by default. Attackers with low-privileged access can leverage browser-driven requests to reach internal services or cloud metadata endpoints that should be unreachable from external contexts. The issue is tracked under [CWE-918] and stems from configuration logic in extensions/browser/src/browser/config.ts that fails to honor explicit strict SSRF settings. The vulnerability affects deployments using OpenClaw on Node.js.
Critical Impact
Attackers can pivot through OpenClaw browser sessions to reach private-network services, internal APIs, and cloud metadata endpoints, exposing sensitive infrastructure data.
Affected Products
- OpenClaw (openclaw:openclaw) versions prior to 2026.4.14
- Node.js-based deployments of OpenClaw browser extensions
- Applications embedding OpenClaw's browser SSRF policy module
Discovery Timeline
- 2026-05-05 - CVE-2026-43527 published to NVD
- 2026-05-07 - Last updated in NVD database
Technical Details for CVE-2026-43527
Vulnerability Analysis
The vulnerability originates in OpenClaw's browser configuration resolver. The function constructs SSRF policy options for the underlying browser engine and decides whether to set the dangerouslyAllowPrivateNetwork flag. In the unpatched code, the resolver only emits the flag when private-network navigation is explicitly enabled. It silently drops the flag when a caller passes an explicit false to enforce strict SSRF protection. The downstream browser library then falls back to its default behavior, which permits private-network navigation. This default-allow gap converts a developer's explicit hardening attempt into a permissive runtime configuration.
Root Cause
The root cause is incomplete handling of explicit boolean values in the SSRF configuration merge logic. The original conditional only forwarded the option when resolvedAllowPrivateNetwork was truthy. It ignored the case where dangerouslyAllowPrivateNetwork === false or the legacy alias allowPrivateNetwork === false was supplied. As a result, strict configurations were dropped before reaching the browser engine.
Attack Vector
An authenticated attacker who can submit URLs or trigger browser navigations through OpenClaw can request internal addresses such as 127.0.0.1, 169.254.169.254, or RFC 1918 ranges. The browser session executes the navigation against private hosts and returns or acts on the response. The attack requires network access and low privileges and does not require user interaction.
// Patch from commit 1dabfef - preserve explicit strict SSRF config
return {
- ...(resolvedAllowPrivateNetwork ? { dangerouslyAllowPrivateNetwork: true } : {}),
+ ...(resolvedAllowPrivateNetwork || dangerouslyAllowPrivateNetwork === false
+ ? { dangerouslyAllowPrivateNetwork: resolvedAllowPrivateNetwork }
+ : {}),
...(allowedHostnames ? { allowedHostnames } : {}),
...(hostnameAllowlist ? { hostnameAllowlist } : {}),
};
Source: GitHub Commit 1dabfef
// Patch from commit 213c36c - preserve legacy strict SSRF alias
return {
- ...(resolvedAllowPrivateNetwork || dangerouslyAllowPrivateNetwork === false
+ ...(resolvedAllowPrivateNetwork ||
+ dangerouslyAllowPrivateNetwork === false ||
+ allowPrivateNetwork === false
? { dangerouslyAllowPrivateNetwork: resolvedAllowPrivateNetwork }
: {}),
...(allowedHostnames ? { allowedHostnames } : {}),
Source: GitHub Commit 213c36c
Detection Methods for CVE-2026-43527
Indicators of Compromise
- Outbound browser navigations from OpenClaw hosts to RFC 1918 addresses (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16).
- Requests to cloud metadata endpoints such as 169.254.169.254 or metadata.google.internal originating from the OpenClaw process.
- Loopback navigations targeting 127.0.0.1 or localhost on internal service ports.
- Anomalous referer or origin headers in internal HTTP server logs tied to OpenClaw user agents.
Detection Strategies
- Inspect OpenClaw runtime configuration for the absence of dangerouslyAllowPrivateNetwork: false and audit calling code for missing strict overrides.
- Run version inventory queries against the openclaw package and flag any release earlier than 2026.4.14.
- Correlate egress proxy logs with browser session identifiers to detect navigations to private CIDR ranges.
Monitoring Recommendations
- Forward OpenClaw browser navigation events to a centralized log pipeline and alert on private-network destinations.
- Apply egress filtering at the host or container level so that browser processes cannot reach cloud metadata services.
- Track EPSS probability for CVE-2026-43527 over time and re-prioritize patching if exploitability rises.
How to Mitigate CVE-2026-43527
Immediate Actions Required
- Upgrade OpenClaw to version 2026.4.14 or later, which contains the patches in commits 1dabfef, 213c36c, 024f461, and 7eecfa4.
- Audit application code that initializes the OpenClaw browser to confirm that dangerouslyAllowPrivateNetwork: false is honored after the upgrade.
- Restrict outbound network access from OpenClaw worker hosts to only the destinations the application requires.
Patch Information
The fix is published in GitHub Security Advisory GHSA-53vx-pmqw-863c. The patch updates extensions/browser/src/browser/config.ts so the resolver forwards explicit false values for both dangerouslyAllowPrivateNetwork and the legacy allowPrivateNetwork alias. Additional context is available in the VulnCheck SSRF Advisory.
Workarounds
- Place OpenClaw browser workloads in a network segment that cannot route to internal services or cloud metadata endpoints.
- Use an egress proxy with an allowlist of approved external hostnames and block all RFC 1918 and link-local destinations.
- Configure host firewall rules to deny traffic from the OpenClaw process to 169.254.169.254 and other metadata service IPs.
- Validate and normalize user-supplied URLs before passing them to OpenClaw, rejecting private addresses and DNS names that resolve to them.
# Example egress firewall rules to block metadata and private ranges from OpenClaw containers
iptables -A OUTPUT -m owner --uid-owner openclaw -d 169.254.169.254 -j DROP
iptables -A OUTPUT -m owner --uid-owner openclaw -d 10.0.0.0/8 -j DROP
iptables -A OUTPUT -m owner --uid-owner openclaw -d 172.16.0.0/12 -j DROP
iptables -A OUTPUT -m owner --uid-owner openclaw -d 192.168.0.0/16 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
