OpenClaw Server-Side Request Forgery Vulnerability in Attachment and Media URL Hydration

A server-side request forgery (SSRF) vulnerability has been identified in OpenClaw versions prior to 2026.2.2. This vulnerability allows remote attackers to fetch arbitrary HTTP or HTTPS URLs. Attackers who can influence media URLs through model-controlled sendAttachment or auto-reply mechanisms can exploit this vulnerability to access internal resources and exfiltrate the fetched response bytes as outbound attachments.

Impact

Exploitation of this vulnerability allows for server-side request forgery, where the application is coerced into making HTTP requests to internal resources, potentially leading to unauthorized data access or leakage.

Reproduction

To reproduce this vulnerability, upload a file or send a message that includes a media URL pointing to an internal resource, such as a localhost service or a private IP address. The OpenClaw gateway will fetch the URL and use the response bytes as an attachment, effectively exfiltrating data from the internal resource.

Remediation

Users are advised to upgrade to OpenClaw version 2026.2.2 or later, where this vulnerability has been patched.