OpenClaw SSRF Policy Bypass Vulnerability in Browser Debug and Export Routes

A vulnerability allowing server-side request forgery (SSRF) policy bypass has been identified in OpenClaw versions prior to 2026.4.29. This issue arises in browser debug and export routes, where attackers can reuse already-open blocked tabs to export or inspect content that should remain protected. The vulnerability allows for the bypassing of private-network SSRF policies by taking advantage of blocked tabs that are still open.

Impact

Exploitation of this vulnerability could lead to unauthorized access to content from blocked private-network tabs, allowing inspection or export of sensitive information that should have been protected by the browser's network policy.

Remediation

Users are advised to close blocked tabs before using the debug or export features. Additionally, browser debug routes should be restricted until the application is updated to version 2026.4.29 or later. As a general hardening measure, keep channel and tool allowlists narrow, avoid sharing one Gateway between mutually untrusted users, and disable the affected feature when it is not needed.