OpenClaw Server-Side Request Forgery Policy Bypass Vulnerability

A server-side request forgery (SSRF) policy bypass vulnerability has been identified in OpenClaw versions prior to 2026.4.8. This vulnerability allows attackers to manipulate browser interactions to bypass standard SSRF checks, potentially accessing restricted resources.

Impact

Exploitation of this vulnerability can lead to unauthorized access to restricted resources by bypassing normal SSRF protections.

Reproduction

The vulnerability can be reproduced by interacting with the application in a way that triggers a navigation. This can be done by using a version of OpenClaw prior to 2026.4.8 and initiating a browser interaction that would normally be blocked by SSRF protections. The navigation will bypass the standard checks, allowing access to restricted resources.

Remediation

Users can upgrade to OpenClaw version 2026.4.8 or later to address this vulnerability.