CVE-2026-27488

HIGH
2026-02-21 [email protected] GHSA-w45g-5746-x9fp
7.3
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

3
Analysis Generated
Mar 12, 2026 - 22:04 vuln.today
Patch Released
Feb 23, 2026 - 20:41 nvd
Patch available
CVE Published
Feb 21, 2026 - 10:16 nvd
HIGH 7.3

Tags

SSRF AI / ML Openclaw

Description

OpenClaw is a personal AI assistant. In versions 2026.2.17 and below, Cron webhook delivery in src/gateway/server-cron.ts uses fetch() directly, so webhook targets can reach private/metadata/internal endpoints without SSRF policy checks. This issue was fixed in version 2026.2.19.

Analysis

OpenClaw versions 2026.2.17 and earlier allow unauthenticated remote attackers to access internal and metadata endpoints through unprotected cron webhook delivery mechanisms that lack SSRF validation. An attacker can exploit this to reach private services and endpoints that should be restricted, potentially leading to information disclosure or lateral movement within the infrastructure. …

Sign in for full analysis, threat intelligence, and remediation guidance.

Remediation

Within 24 hours: identify all OpenClaw deployments and their versions in your environment; isolate any version 2026.2.17 or below from production if feasible. Within 7 days: apply the available security patch to all affected instances and validate successful deployment. …

Sign in for detailed remediation steps.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

Priority Score

37
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +36
POC: 0

Share

CVE-2026-27488 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy