DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-PG2V-8XWH-QHCC: The Call Is Coming From Inside the House: OpenClaw SSRF Analysis

#security #cve #cybersecurity #ghsa

The Call Is Coming From Inside the House: OpenClaw SSRF Analysis

Vulnerability ID: GHSA-PG2V-8XWH-QHCC
CVSS Score: 6.5
Published: 2026-02-18

A classic Server-Side Request Forgery (SSRF) vulnerability in OpenClaw's Tlon (Urbit) extension allowed authenticated users to coerce the server into making arbitrary HTTP requests to internal networks, loopback interfaces, or cloud metadata services. By failing to validate the user-supplied 'ship' URL, the application acted as an open proxy for internal reconnaissance.

TL;DR

The Tlon extension for OpenClaw didn't check if the URL you gave it was safe. Attackers could point it at localhost or AWS metadata (169.254.169.254) to steal credentials or map internal networks. Fixed in version 2026.2.14 by adding a strict SSRF guard and URL validator.

⚠️ Exploit Status: POC

Technical Details

  • Vulnerability Type: Server-Side Request Forgery (SSRF)
  • CWE ID: CWE-918
  • CVSS Score: 6.5 (Medium)
  • Attack Vector: Network
  • Privileges Required: Low (Authenticated User)
  • Exploit Status: PoC Available

Affected Systems

  • OpenClaw Server
  • Tlon (Urbit) Extension
  • openclaw: <= 2026.2.13 (Fixed in: 2026.2.14)

Code Analysis

Commit: bfa7d21

fix(tlon): add SSRF protection for Urbit ship connection

@@ -12,4 +12,18 @@
-  const resp = await fetch(`${url}/~/login`, {
+  const validatedUrl = validateUrbitBaseUrl(url);
+  const resp = await fetchWithSsrFGuard(`${validatedUrl}/~/login`, {
Enter fullscreen mode Exit fullscreen mode

Exploit Details

  • Internal Analysis: Proof of concept involves setting the Urbit URL to local or cloud metadata addresses.

Mitigation Strategies

  • Disable the Tlon extension if not strictly required.
  • Implement Egress filtering (Firewall/Security Groups) to block outbound traffic to private IP ranges (RFC 1918) and cloud metadata services.
  • Run OpenClaw with least-privilege IAM roles/service accounts to limit blast radius of credential theft.

Remediation Steps:

  1. Identify if the 'openclaw' package is installed in your project.
  2. Check package.json for versions <= 2026.2.13.
  3. Update to fixed version: npm install openclaw@2026.2.14 or later.
  4. Verify configuration: Ensure allowPrivateNetwork is set to false in the Tlon extension config.

References

Read the full report for GHSA-PG2V-8XWH-QHCC on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)