Description
OpenClaw before 2026.4.8 contains a server-side request forgery policy bypass vulnerability allowing attackers to trigger navigations bypassing normal SSRF checks. Attackers can exploit browser interactions to bypass SSRF protections and access restricted resources.
Published: 2026-04-28
Score: 4.8 Medium
EPSS: n/a
KEV: No
Impact: Bypass of Server‑Side Request Forgery safeguards enabling access to internal resources via interaction‑triggered navigation
Action: Patch
AI Analysis

Impact

OpenClaw versions earlier than 2026.4.8 are vulnerable to a server‑side request forgery policy bypass that allows an attacker to trigger navigations through browser interactions. This flaw lets a malicious actor sidestep the normal SSRF checks enforced by the application, enabling them to reach restricted internal endpoints or services that would otherwise be inaccessible from the public network. The impact is a compromise of confidentiality and potential integrity of internal resources accessed through the affected request pathway.

Affected Systems

The affected product is OpenClaw, any deployment of OpenClaw before the 2026.4.8 release. The vulnerability applies to the Node.js implementation of the OpenClaw server and may affect any instance exposing the interaction‑triggered navigation feature.

Risk and Exploitability

The CVSS score of 4.8 indicates a moderate severity, and the exploitability is not publicly documented in the EPSS data. The vulnerability was not listed in CISA’s KEV catalog, suggesting it may not have been widely exploited yet. Based on the description, the likely attack vector is a remote user manipulating a browser session to invoke navigation requests, which the server incorrectly treats as legitimate. Attackers do not need elevated credentials or local access, but must be able to influence the client browser or craft a specially designed request to the vulnerable endpoint.

Generated by OpenCVE AI on April 28, 2026 at 22:58 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to OpenClaw 2026.4.8 or later to apply the vendor's patched fix
  • If an immediate upgrade is not possible, restrict the endpoint that triggers navigation by firewall rules or network segmentation to limit access to trusted users
  • Disable or tightly control browser interaction features that can trigger automatic navigation, such as autoplay or form submissions, via application configuration or a content security policy

Generated by OpenCVE AI on April 28, 2026 at 22:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 28 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Description OpenClaw before 2026.4.8 contains a server-side request forgery policy bypass vulnerability allowing attackers to trigger navigations bypassing normal SSRF checks. Attackers can exploit browser interactions to bypass SSRF protections and access restricted resources.
Title OpenClaw < 2026.4.8 - Server-Side Request Forgery Policy Bypass via Interaction-Triggered Navigation
First Time appeared Openclaw
Openclaw openclaw
Weaknesses CWE-918
CPEs cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*
Vendors & Products Openclaw
Openclaw openclaw
References
Metrics cvssV3_1

{'score': 7.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N'}

cvssV4_0

{'score': 4.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:L/VA:N/SC:H/SI:L/SA:N'}

Subscriptions

Openclaw Openclaw
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-29T12:15:57.302Z

Reserved: 2026-04-22T15:20:49.859Z

Link: CVE-2026-41912

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-28T19:37:44.970

Modified: 2026-04-28T20:10:23.367

Link: CVE-2026-41912

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T23:00:13Z

Weaknesses