DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-RHFG-J8JQ-7V2H: GHSA-rhfg-j8jq-7v2h: Server-Side Request Forgery via Unguarded Base URLs in OpenClaw Extensions

#security #cve #cybersecurity #ghsa

GHSA-rhfg-j8jq-7v2h: Server-Side Request Forgery via Unguarded Base URLs in OpenClaw Extensions

Vulnerability ID: GHSA-RHFG-J8JQ-7V2H
CVSS Score: 7.2
Published: 2026-03-29

OpenClaw versions prior to 2026.3.26 suffer from a high-severity Server-Side Request Forgery (SSRF) vulnerability. The application fails to apply strict URL validation and DNS pinning mechanisms across multiple channel extensions, allowing users with configuration access to target internal network services.

TL;DR

Incomplete SSRF mitigations in OpenClaw allow attackers with configuration access to issue arbitrary HTTP requests to internal networks via Mattermost, Nextcloud-Talk, and BlueBubbles extensions.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-918
  • Attack Vector: Network
  • Authentication Required: Yes (Configuration Access)
  • Impact: Internal Network Access, Information Disclosure
  • Exploit Status: Proof of Concept
  • Fix Version: 2026.3.26

Affected Systems

  • OpenClaw Application
  • OpenClaw Mattermost Extension
  • OpenClaw Nextcloud-Talk Extension
  • OpenClaw BlueBubbles Extension
  • OpenClaw: < 2026.3.26 (Fixed in: 2026.3.26)

Code Analysis

Commit: f92c925

Introduced mandatory allowPrivateNetwork policy and refactored Mattermost, Nextcloud-Talk, and BlueBubbles to use fetchWithSsrFGuard.

Mitigation Strategies

  • Upgrade OpenClaw application to the patched release.
  • Implement network-level egress filtering to block access to internal and link-local IP ranges.
  • Enforce strictly regulated role-based access control on application configuration interfaces.
  • Require IMDSv2 on cloud instances to mitigate metadata exfiltration risks.

Remediation Steps:

  1. Verify the current running version of OpenClaw.
  2. Download and install OpenClaw version 2026.3.26 or later.
  3. Audit all existing channel extension configurations to ensure no unauthorized internal URLs are present.
  4. Restart the OpenClaw service to ensure all new configuration policies and HTTP client wrappers are active.

References

Read the full report for GHSA-RHFG-J8JQ-7V2H on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)