OpenClaw Gateway Tool Server-Side Request Forgery Vulnerability

A server-side request forgery (SSRF) vulnerability has been identified in OpenClaw, a personal AI assistant, prior to version 2026.2.14. The issue arises in the Gateway tool, which accepted user-supplied 'gatewayUrl' overrides without adequate validation. This flaw could enable the OpenClaw host to make outbound WebSocket connections to specified targets, including localhost services, private network addresses, or cloud metadata IPs. The vulnerability requires the ability to invoke tools that allow 'gatewayUrl' overrides, typically limited to authenticated operators or trusted automation. In environments where tool invocation results can be observed, this vulnerability could be exploited for network reachability probing.

Impact

Exploitation of this vulnerability allows for unauthorized outbound WebSocket connection attempts from the OpenClaw host to user-specified targets. This could lead to interaction with reachable WebSocket services, potentially causing unintended actions or data exposure.

Reproduction

The vulnerability can be reproduced by invoking a tool that accepts 'gatewayUrl' overrides, such as through the OpenClaw command-line interface or via a channel plugin that supports direct message delivery. The 'gatewayUrl' override can be set to a target that the OpenClaw host can reach, such as a localhost service or a private network address. Once the tool is executed, the OpenClaw host will attempt to connect to the specified 'gatewayUrl', resulting in an outbound connection attempt and a corresponding error or timeout if the target is not reachable.

Remediation

Users can update to OpenClaw version 2026.2.14 or later, where this vulnerability has been patched. Instructions for downloading the latest version are available on the OpenClaw GitHub Releases page.