The vulnerability is a server‑side request forgery in the marketplace plugin download of OpenClaw and is identified as CWE‑918, which describes unvalidated attacks that allow an attacker to forge requests. It allows remote attackers to perform arbitrary HTTP requests from the server because the fetch() call is not validated or restricted. By crafting a request to the download endpoint, an attacker can cause the server to access internal network resources or contact external services, potentially exposing sensitive internal data or enabling further attacks.

OpenClaw platforms built on Node.js before version 2026.3.31 are affected. The vulnerability is present in the OpenClaw:OpenClaw product, as identified by its CPE string. Any deployment of this software using the marketplace plugin download function is susceptible until the security fix is applied.

The CVSS score of 4.8 indicates moderate severity. The EPSS score is < 1%, and the vulnerability is not listed in the CISA KEV catalog, suggesting no known exploitation yet. However, because the flaw allows a remote attacker to initiate requests from the affected server, the potential impact on internal resources or external services warrants timely remediation. The attack vector is clearly remote, and exploitation requires that the attacker can reach the marketplace download endpoint. If the internal network hosts sensitive services, the risk of accidental or intentional data exposure is significant.