Description
OpenClaw before 2026.3.28 contains an SSRF guard bypass vulnerability that fails to block four IPv6 special-use ranges. Attackers can exploit this by crafting URLs targeting internal or non-routable IPv6 addresses to bypass SSRF protections.
Published: 2026-04-23
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

OpenClaw before version 2026.3.28 contains a flaw in its SSRF guard that fails to filter four IPv6 special‑use ranges. An attacker can craft URLs that reference internal or non‑routable IPv6 addresses and send them to the application; the guard will allow the request to proceed, enabling the attacker to reach resources on the internal network that are otherwise unreachable from the outside. This flaw does not directly provide code execution but can expose sensitive internal endpoints or data.

Affected Systems

The affected vendor is OpenClaw and the product is OpenClaw. Versions prior to 2026.3.28 are vulnerable. No other versions are listed as affected.

Risk and Exploitability

The base CVSS score of 5.1 indicates moderate severity with no exploit resulting in direct code execution. The EPSS score of less than 1 % suggests the risk of real‑world exploitation is low at present, and the vulnerability is not listed in CISA’s KEV catalog. Based on the description, the likely attack vector is a normal SSRF request path that accepts externally supplied URLs; the attacker must have network reach to the vulnerable application, and the vulnerability does not require additional privileged access to the server. While it can allow internal network discovery or data exfiltration, it does not expose the system to remote code execution without further weaknesses.

Generated by OpenCVE AI on April 29, 2026 at 17:17 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OpenClaw to version 2026.3.28 or later to apply the vendor patch that restores proper IPv6 special‑use range filtering.
  • If a patch cannot be applied immediately, configure network or host‑level firewalls to block outgoing requests from the OpenClaw server to the known IPv6 special‑use ranges (e.g., ::1, fc00::/7, 2001:db8::/32).
  • Restrict or disable any OpenClaw API endpoints that accept arbitrary URLs supplied by external users, thereby reducing the surface area for SSRF exploitation.

Generated by OpenCVE AI on April 29, 2026 at 17:17 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 29 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-918

Fri, 24 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 23 Apr 2026 22:15:00 +0000

Type Values Removed Values Added
Description OpenClaw before 2026.3.28 contains an SSRF guard bypass vulnerability that fails to block four IPv6 special-use ranges. Attackers can exploit this by crafting URLs targeting internal or non-routable IPv6 addresses to bypass SSRF protections.
Title OpenClaw < 2026.3.28 - SSRF Guard Bypass via IPv6 Special-Use Ranges
First Time appeared Openclaw
Openclaw openclaw
Weaknesses CWE-184
CPEs cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*
Vendors & Products Openclaw
Openclaw openclaw
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:H/SI:L/SA:N'}

Subscriptions

Openclaw Openclaw
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-24T14:08:10.160Z

Reserved: 2026-04-20T14:09:02.629Z

Link: CVE-2026-41361

cve-icon Vulnrichment

Updated: 2026-04-24T14:07:55.574Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-23T22:16:43.870

Modified: 2026-04-29T14:08:18.713

Link: CVE-2026-41361

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T17:30:16Z

Weaknesses