Description
OpenClaw before 2026.4.29 contains an SSRF policy bypass vulnerability in browser debug and export routes that allows reuse of already-open blocked tabs. Attackers with access to these routes can bypass private-network SSRF policies by reusing blocked tabs to export or inspect content that should remain protected.
Published: 2026-05-29
Score: 5.9 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

OpenClaw before 2026.4.29 is vulnerable to an SSRF policy bypass that exploits the browser debug and export routes. Attackers who can reach these routes may reuse tabs that the system has previously blocked from accessing private network resources, allowing them to query or export data that should remain protected. This flaw is mapped to CWE-863 and carries a CVSS score of 5.9, indicating moderate severity.

Affected Systems

The vulnerability affects all OpenClaw installations running a version earlier than 2026.4.29. No specific operating system or node.js version restrictions are listed in the advisories, but the impact applies to any environment in which the affected OpenClaw product is deployed.

Risk and Exploitability

The exploit requires an attacker to have access to the browser debug or export routes; the vulnerability is not remotely exploitable without such access. Because the EPSS score is not available and the vulnerability is not listed in CISA KEV, the likelihood of a large‑scale exploitation campaign is uncertain. Nevertheless, systems that expose the debug routes to untrusted users face a real risk of bypassing internal SSRF restrictions and potentially exfiltrating sensitive data.

Generated by OpenCVE AI on May 29, 2026 at 17:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update OpenClaw to version 2026.4.29 or newer
  • Disable or restrict access to the browser debug routes to limit exposure to trusted users only
  • Ensure that private network SSRF policies are enforced and review access controls for the exported content

Generated by OpenCVE AI on May 29, 2026 at 17:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 29 May 2026 21:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 29 May 2026 16:15:00 +0000

Type Values Removed Values Added
Description OpenClaw before 2026.4.29 contains an SSRF policy bypass vulnerability in browser debug and export routes that allows reuse of already-open blocked tabs. Attackers with access to these routes can bypass private-network SSRF policies by reusing blocked tabs to export or inspect content that should remain protected.
Title OpenClaw < 2026.4.29 - SSRF Policy Bypass via Browser Debug/Export Routes
First Time appeared Openclaw
Openclaw openclaw
Weaknesses CWE-863
CPEs cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*
Vendors & Products Openclaw
Openclaw openclaw
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:L/A:N'}

cvssV4_0

{'score': 5.9, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:P/VC:H/VI:L/VA:N/SC:L/SI:N/SA:N'}

Subscriptions

Openclaw Openclaw
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-29T20:39:07.285Z

Reserved: 2026-04-04T12:32:50.476Z

Link: CVE-2026-35673

cve-icon Vulnrichment

Updated: 2026-05-29T20:39:03.447Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-29T16:16:26.230

Modified: 2026-05-29T16:29:34.540

Link: CVE-2026-35673

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-29T18:15:04Z

Weaknesses