CVE-2026-6011 Overview
A Server-Side Request Forgery (SSRF) vulnerability has been identified in OpenClaw versions up to 2026.1.26. The vulnerability exists in the assertPublicHostname handler within the src/agents/tools/web-fetch.ts component. This weakness allows remote attackers to manipulate server-side requests, potentially enabling access to internal resources that should not be externally accessible.
Critical Impact
Remote attackers can exploit this SSRF vulnerability to bypass hostname validation and potentially access internal network resources, cloud metadata services, or other protected endpoints.
Affected Products
- OpenClaw versions up to 2026.1.26
- Component: src/agents/tools/web-fetch.ts - assertPublicHostname Handler
Discovery Timeline
- April 10, 2026 - CVE-2026-6011 published to NVD
- April 13, 2026 - Last updated in NVD database
Technical Details for CVE-2026-6011
Vulnerability Analysis
This SSRF vulnerability (CWE-918) affects the web-fetch functionality in OpenClaw's agent tools. The assertPublicHostname handler fails to properly validate and restrict hostname resolution, allowing attackers to craft requests that bypass intended security controls. While the attack is characterized by high complexity and the exploitation is considered difficult, the vulnerability has been publicly disclosed with exploit information made available.
The vulnerable component handles URL fetching operations without adequate DNS pinning, which can be exploited to redirect server-side requests to arbitrary destinations. This type of vulnerability is particularly dangerous in cloud environments where attackers could potentially access instance metadata endpoints or internal services.
Root Cause
The root cause lies in insufficient hostname validation within the assertPublicHostname function. The original implementation did not properly pin DNS resolutions, allowing potential DNS rebinding attacks or manipulation of the resolved IP addresses between validation and actual request execution. The fix introduces a hardened DNS pinning mechanism using a custom Dispatcher with undici to ensure the resolved hostname remains consistent throughout the request lifecycle.
Attack Vector
The attack vector is network-based, requiring no authentication or user interaction. An attacker can remotely exploit this vulnerability by manipulating URL fetch requests to target internal resources. The high attack complexity stems from the need to bypass the existing hostname validation mechanisms, potentially through DNS rebinding techniques or timing attacks on the DNS resolution process.
// Security patch introducing DNS pinning (Source: GitHub Commit)
import { lookup as dnsLookup } from "node:dns/promises";
import { lookup as dnsLookupCb, type LookupAddress } from "node:dns";
import { Agent, type Dispatcher } from "undici";
type LookupCallback = (
err: NodeJS.ErrnoException | null,
address: string | LookupAddress[],
family?: number,
) => void;
export class SsrFBlockedError extends Error {
constructor(message: string) {
Source: GitHub Commit Diff
// Updated input-files.ts with pinned dispatcher (Source: GitHub Commit)
import { logWarn } from "../logger.js";
import {
closeDispatcher,
createPinnedDispatcher,
resolvePinnedHostname,
} from "../infra/net/ssrf.js";
import type { Dispatcher } from "undici";
type CanvasModule = typeof import("@napi-rs/canvas");
type PdfJsModule = typeof import("pdfjs-dist/legacy/build/pdf.mjs");
Source: GitHub Commit Diff
Detection Methods for CVE-2026-6011
Indicators of Compromise
- Unusual outbound HTTP/HTTPS requests from OpenClaw server to internal IP ranges (e.g., 10.x.x.x, 172.16.x.x, 192.168.x.x, 169.254.169.254)
- DNS queries followed by connections to unexpected internal endpoints
- Requests to cloud metadata endpoints (e.g., AWS 169.254.169.254, Azure metadata services)
- Abnormal patterns in web-fetch agent tool logs indicating redirected or manipulated requests
Detection Strategies
- Monitor network traffic for server-originated requests to internal IP address ranges or cloud metadata services
- Implement DNS query logging and alert on resolution of internal hostnames from external input sources
- Review application logs for errors related to SsrFBlockedError exceptions which may indicate exploitation attempts
- Deploy web application firewall (WAF) rules to detect SSRF attack patterns in incoming requests
Monitoring Recommendations
- Enable verbose logging for the src/agents/tools/web-fetch.ts component and src/infra/net/ssrf.ts module
- Configure network segmentation monitoring to detect lateral movement attempts via SSRF
- Implement egress filtering with logging to capture unauthorized outbound connection attempts
- Set up alerts for repeated DNS resolution failures or blocked requests from the SSRF protection module
How to Mitigate CVE-2026-6011
Immediate Actions Required
- Upgrade OpenClaw to version 2026.1.29 or later immediately
- Review application logs for any evidence of SSRF exploitation attempts prior to patching
- Implement network-level controls to restrict outbound connections from OpenClaw servers to known-safe destinations
- Audit any data that may have been accessed through potential SSRF exploitation
Patch Information
The vulnerability is resolved in OpenClaw version 2026.1.29. The fix is contained in commit b623557a2ec7e271bda003eb3ac33fbb2e218505, which introduces hardened DNS pinning using undici dispatchers. The patch replaces the vulnerable assertPublicHostname function with a more robust implementation featuring createPinnedDispatcher and resolvePinnedHostname functions that maintain DNS resolution consistency throughout the request lifecycle.
For detailed patch information, refer to:
Workarounds
- Implement network egress filtering to block connections to internal IP ranges from OpenClaw application servers
- Deploy a reverse proxy with SSRF protection capabilities in front of the OpenClaw web-fetch functionality
- Disable or restrict the web-fetch agent tool functionality if not required for business operations
- Configure firewall rules to explicitly allow-list only necessary external domains for outbound requests
# Example: Network egress filtering using iptables to block internal ranges
# Block requests to private IP ranges from OpenClaw application
iptables -A OUTPUT -m owner --uid-owner openclaw -d 10.0.0.0/8 -j DROP
iptables -A OUTPUT -m owner --uid-owner openclaw -d 172.16.0.0/12 -j DROP
iptables -A OUTPUT -m owner --uid-owner openclaw -d 192.168.0.0/16 -j DROP
iptables -A OUTPUT -m owner --uid-owner openclaw -d 169.254.169.254 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
