DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-56F2-HVWG-5743: OpenClaw Open Door: SSRF in Your Personal AI Assistant

#security #cve #cybersecurity #ghsa

OpenClaw Open Door: SSRF in Your Personal AI Assistant

Vulnerability ID: GHSA-56F2-HVWG-5743
CVSS Score: 8.6
Published: 2026-02-17

OpenClaw, a TypeScript-based personal AI assistant designed to integrate with various tools and LLM providers, contained a critical Server-Side Request Forgery (SSRF) vulnerability. The flaw resided in how the application's tools—specifically the Image Tool and Web Fetch Tool—handled remote resource retrieval. By failing to validate destination IP addresses or enforce egress filtering, the application allowed attackers to coerce the server into making requests to arbitrary internal endpoints. This could lead to the exposure of sensitive cloud metadata (AWS/GCP), access to local services listening on loopback interfaces, or network scanning behind the firewall.

TL;DR

OpenClaw's tools allowed unchecked URL fetching, enabling attackers to hit internal networks and cloud metadata services (SSRF). Patched in v2026.2.2 with a custom fetch guard that implements DNS pinning and IP blocklisting.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-918
  • Attack Vector: Network
  • CVSS: 8.6 (High)
  • Impact: Information Disclosure / Internal Access
  • Fix Complexity: Moderate (Requires Logic Change)
  • Exploit Status: PoC Available

Affected Systems

  • OpenClaw AI Assistant
  • OpenClaw Image Tool
  • OpenClaw Web Fetch Tool
  • OpenClaw Skill Installer
  • OpenClaw: < 2026.2.2 (Fixed in: 2026.2.2)

Code Analysis

Commit: 81c68f5

fix: guard remote media fetches with SSRF checks

+ import { fetchWithSsrFGuard } from '../../infra/net/fetch-guard';
Enter fullscreen mode Exit fullscreen mode

Commit: 9bd64c8

fix: expand SSRF guard coverage

Code hardening for IPv6 mapped addresses
Enter fullscreen mode Exit fullscreen mode

Exploit Details

  • Internal Analysis: Exploit involves crafting a JSON tool call with a private IP address.

Mitigation Strategies

  • Implement strict egress filtering using an allowlist where possible.
  • Use a dedicated SSRF protection library or sidecar proxy.
  • Enforce IMDSv2 (AWS) or similar token-based authentication for metadata services.
  • Run the application in a network-segregated environment.

Remediation Steps:

  1. Update OpenClaw to version v2026.2.14 or later.
  2. Verify that the fetchWithSsrFGuard utility is being used in all new tool implementations.
  3. Audit any custom tools or plugins added to the assistant for similar fetch patterns.

References

Read the full report for GHSA-56F2-HVWG-5743 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)