Description
OpenClaw versions prior to 2026.2.22 contain incomplete IPv4 special-use range validation in the isPrivateIpv4() function, allowing requests to RFC-reserved ranges to bypass SSRF policy checks. Attackers with network reachability to special-use IPv4 ranges can exploit web_fetch functionality to access blocked addresses such as 198.18.0.0/15 and other non-global ranges.
Published: 2026-03-19
Score: 2.3 Low
EPSS: < 1% Very Low
KEV: No
Impact: SSRF Bypass
Action: Apply Patch
AI Analysis

Impact

OpenClaw versions prior to 2026.2.22 contain an incomplete validation of IPv4 special‑use ranges in the isPrivateIpv4() function, which allows requests that target RFC‑reserved addresses such as 198.18.0.0/15 to bypass the SSRF guard. This Server‑Side Request Forgery flaw enables an attacker with network reachability to these non‑global IP ranges to use the web_fetch functionality to access internal resources or services that should be blocked, potentially exposing confidential information or facilitating further exploitation.

Affected Systems

All OpenClaw instances running any release older than 2026.2.22 are affected. The vendor lists the product as OpenClaw:OpenClaw; no further sub‑versions are specified, so any version before the stated point should be considered vulnerable until the fix is applied.

Risk and Exploitability

The CVSS score of 2.3 indicates low overall severity, and no EPSS score is available. The vulnerability is not listed in CISA's KEV catalog. Exploitation requires the attacker to have network reachability to the special‑use IP ranges from a server that can communicate with the OpenClaw instance. While the risk is lower than high‑impact flaws, the ability to reach internal services could be valuable to threat actors.

Generated by OpenCVE AI on March 20, 2026 at 00:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OpenClaw to version 2026.2.22 or later.
  • If upgrading is not immediately possible, configure the SSRF guard to explicitly block RFC‑reserved IP ranges such as 198.18.0.0/15 and any other non‑global ranges from being fetched.
  • Verify that internal network hosts cannot be reached from the OpenClaw server until the patch is applied.

Generated by OpenCVE AI on March 20, 2026 at 00:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-4rqq-w8v4-7p47 OpenClaw has incomplete IPv4 special-use SSRF blocking in web fetch guard
History

Wed, 25 Mar 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L'}

 cvssV3_1

{'score': 7.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L'}

Fri, 20 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 19 Mar 2026 22:15:00 +0000

Type Values Removed Values Added
Description OpenClaw versions prior to 2026.2.22 contain incomplete IPv4 special-use range validation in the isPrivateIpv4() function, allowing requests to RFC-reserved ranges to bypass SSRF policy checks. Attackers with network reachability to special-use IPv4 ranges can exploit web_fetch functionality to access blocked addresses such as 198.18.0.0/15 and other non-global ranges.
Title OpenClaw < 2026.2.22 - Incomplete IPv4 Special-Use Range Blocking in SSRF Guard
First Time appeared Openclaw
Openclaw openclaw
Weaknesses CWE-918
CPEs cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*
Vendors & Products Openclaw
Openclaw openclaw
References
Metrics cvssV3_1

{'score': 6, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L'}

cvssV4_0

{'score': 2.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:L/SA:L'}

Subscriptions

Openclaw Openclaw
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-25T14:27:49.829Z

Reserved: 2026-03-10T19:48:40.708Z

Link: CVE-2026-32019

cve-icon Vulnrichment

Updated: 2026-03-20T18:02:16.484Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-03-19T22:16:35.680

Modified: 2026-03-25T15:16:44.483

Link: CVE-2026-32019

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-20T11:05:26Z

Weaknesses