OpenClaw Incomplete IPv4 Special-Use Range Validation SSRF Vulnerability

A server-side request forgery (SSRF) vulnerability has been identified in OpenClaw versions prior to 2026.2.22. The issue arises from incomplete validation of IPv4 special-use ranges in the 'isPrivateIpv4()' function, allowing requests to bypass SSRF policy checks. This vulnerability can be exploited by accessing web_fetch functionality to reach blocked addresses within RFC-reserved ranges, such as 198.18.0.0/15, and other non-global ranges.

Impact

Exploitation of this vulnerability allows requests to special-use IPv4 ranges to bypass SSRF policy checks, potentially leading to unauthorized access to internal or restricted resources.

Reproduction

The vulnerability can be reproduced by sending a request through the 'web_fetch' functionality while the application is running a version prior to 2026.2.22. The request should be directed to a URL that includes an IPv4 address from a special-use range that is typically blocked by the application's SSRF protection, such as 198.18.0.1.

Remediation

Users can update to OpenClaw version 2026.2.22 or later to address this vulnerability.