Description
OpenClaw versions prior to 2026.2.2 contain a server-side request forgery vulnerability in attachment and media URL hydration that allows remote attackers to fetch arbitrary HTTP(S) URLs. Attackers who can influence media URLs through model-controlled sendAttachment or auto-reply mechanisms can trigger SSRF to internal resources and exfiltrate fetched response bytes as outbound attachments.
Published: 2026-03-05
Score: 6.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Remote Server‑Side Request Forgery enabling internal resource disclosure and data exfiltration
Action: Patch
AI Analysis

Impact

OpenClaw versions prior to 2026.2.2 contain a server‑side request forgery vulnerability in the attachment and media URL hydration process. When a message is sent or auto‑replied, an attacker able to control media URLs can cause the server to fetch arbitrary HTTP(S) resources. The fetched response is returned as an outbound attachment, allowing the attacker to access internal services or exfiltrate sensitive data.

Affected Systems

The product affected is OpenClaw. Versions older than 2026.2.2 are vulnerable because they lack the check introduced in that release. No other vendors or product lines are listed in the advisory.

Risk and Exploitability

The CVSS score of 6.3 classifies the issue as medium severity. The EPSS score is below 1 %, indicating a very low predicted exploitation likelihood, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires the attacker to influence media URLs via the model‑controlled sendAttachment or auto‑reply mechanisms, after which the server can reach internal endpoints and return their contents to the attacker.

Generated by OpenCVE AI on April 17, 2026 at 12:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OpenClaw to version 2026.2.2 or later, which contains the fix for the URL hydration vulnerability.
  • Restrict media URL usage in sendAttachment and auto‑reply features by allowing only whitelisted domains or trusted sources.
  • Disable or remove auto‑reply or any endpoint that processes externally supplied media URLs if an immediate upgrade is not possible.

Generated by OpenCVE AI on April 17, 2026 at 12:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-wfp2-v9c7-fh79 OpenClaw affected by SSRF via attachment/media URL hydration
History

Mon, 09 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 06 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L'}

 cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L'}

cvssV4_0

{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L'}

Thu, 05 Mar 2026 22:15:00 +0000

Type Values Removed Values Added
Description OpenClaw versions prior to 2026.2.2 contain a server-side request forgery vulnerability in attachment and media URL hydration that allows remote attackers to fetch arbitrary HTTP(S) URLs. Attackers who can influence media URLs through model-controlled sendAttachment or auto-reply mechanisms can trigger SSRF to internal resources and exfiltrate fetched response bytes as outbound attachments.
Title OpenClaw < 2026.2.2 - SSRF via Attachment Media URL Hydration
First Time appeared Openclaw
Openclaw openclaw
Weaknesses CWE-918
CPEs cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*
Vendors & Products Openclaw
Openclaw openclaw
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L'}

Subscriptions

Openclaw Openclaw
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-09T17:55:53.923Z

Reserved: 2026-02-27T19:18:57.083Z

Link: CVE-2026-28467

cve-icon Vulnrichment

Updated: 2026-03-09T17:55:33.087Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-05T22:16:19.997

Modified: 2026-03-09T15:28:05.933

Link: CVE-2026-28467

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T12:45:16Z

Weaknesses