DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-9Q7V-8MR7-G23P: GHSA-9Q7V-8MR7-G23P: Server-Side Request Forgery (SSRF) in OpenClaw AI Assistant

#security #cve #cybersecurity #ghsa

GHSA-9Q7V-8MR7-G23P: Server-Side Request Forgery (SSRF) in OpenClaw AI Assistant

Vulnerability ID: GHSA-9Q7V-8MR7-G23P
CVSS Score: 7.6
Published: 2026-04-02

OpenClaw versions prior to v2026.3.31 suffer from a high-severity Server-Side Request Forgery (SSRF) vulnerability. The application fails to validate user-supplied URLs in the Ollama extension and Marketplace plugin downloader, allowing unauthenticated or authenticated attackers to perform outbound HTTP requests to arbitrary internal and external resources.

TL;DR

A Server-Side Request Forgery (SSRF) flaw in OpenClaw allows attackers to access internal network resources via unvalidated URL inputs in the Ollama configuration and Marketplace plugin downloader.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-918
  • Attack Vector: Network
  • CVSS v3.1 Score: 7.6
  • Impact: High - Confidentiality and Integrity
  • Exploit Status: Proof of Concept Available
  • Affected Components: Ollama Extension, Marketplace Downloader

Affected Systems

  • OpenClaw AI Assistant Backend
  • OpenClaw Ollama Extension
  • OpenClaw Marketplace Plugin Downloader
  • OpenClaw: < v2026.3.31 (Fixed in: v2026.3.31)

Code Analysis

Commit: 8deb952

Implementation of SSRF guard wrapper and hostname pinning for Ollama configuration.

export function buildOllamaBaseUrlSsrFPolicy(baseUrl: string): SsrFPolicy | undefined { ... }
Enter fullscreen mode Exit fullscreen mode

Mitigation Strategies

  • Upgrade OpenClaw application to version v2026.3.31 or later.
  • Enforce strict egress network filtering on the host machine running OpenClaw.
  • Implement IMDSv2 in AWS environments to require session tokens for metadata queries.
  • Monitor outbound HTTP connections to RFC1918 IP addresses or the loopback interface.

Remediation Steps:

  1. Identify all deployed instances of OpenClaw prior to version v2026.3.31.
  2. Pull the latest Docker image or source release corresponding to v2026.3.31.
  3. Restart the OpenClaw service with the updated binaries.
  4. Review historical logs for suspicious Ollama baseUrl configurations or unauthorized marketplace plugin downloads.

References

Read the full report for GHSA-9Q7V-8MR7-G23P on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)