OpenClaw Server-Side Request Forgery Vulnerability in Browser SSRF Policy
Vulnerability
A server-side request forgery (SSRF) vulnerability has been identified in OpenClaw versions prior to 2026.4.14. This vulnerability arises from the default browser SSRF policy, which allows private-network navigation. As a result, attackers could exploit this misconfiguration to access internal services or metadata endpoints through browser-driven requests.
Impact
Exploitation of this vulnerability could lead to unauthorized access to internal services or metadata endpoints via the browser, bypassing expected SSRF protections.
Reproduction
To reproduce this vulnerability, use OpenClaw version 2026.4.14 or earlier. The default browser SSRF policy will allow private-network navigation. This can be tested by accessing a private network resource or metadata endpoint through the browser while the SSRF policy is in its default state.
Remediation
Users should upgrade to OpenClaw version 2026.4.14 or later. The latest npm release, 2026.4.14, includes the necessary fix.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.