What is the CVSS score of CVE-2026-31989?

CVE-2026-31989 has a CVSS 3.1 base score of 7.4 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L. EPSS exploitation probability: 0.0%.

Which versions of Openclaw are affected by CVE-2026-31989?

OpenClaw servers running versions prior to 2026.3.1 are vulnerable to attacks that could allow authenticated users to access internal company systems and sensitive data through malicious citation…. A patch is available.

Openclaw CVE-2026-31989

EUVD-2026-13017 HIGH

Server-Side Request Forgery (SSRF) (CWE-918)

2026-03-19 VulnCheck

GHSA-g99v-8hwm-g76g

SSRF Openclaw

7.4

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

Low

Lifecycle Timeline

Patch released

Mar 31, 2026 - 21:13 nvd

Patch available

EUVD ID Assigned

Mar 19, 2026 - 01:30 euvd

EUVD-2026-13017

Analysis Generated

Mar 19, 2026 - 01:30 vuln.today

CVE Published

Mar 19, 2026 - 01:00 nvd

HIGH 7.4

DescriptionNVD

OpenClaw versions prior to 2026.3.1 contain a server-side request forgery vulnerability in web_search citation redirect resolution that uses a private-network-allowing SSRF policy. An attacker who can influence citation redirect targets can trigger internal-network requests from the OpenClaw host to loopback, private, or internal destinations.

AnalysisAI

OpenClaw versions prior to 2026.3.1 contain a server-side request forgery (SSRF) vulnerability in the web_search citation redirect resolution component that permits requests to private network ranges. Authenticated attackers with low privileges can manipulate citation redirect targets to force the OpenClaw server to make requests to loopback addresses, private networks, or internal infrastructure, potentially accessing sensitive internal services or data. …

RemediationAI

Within 24 hours: inventory all OpenClaw deployments and their current versions; audit user access logs for suspicious citation redirect activity. Within 7 days: implement network segmentation to restrict OpenClaw server outbound access to only necessary external services; deploy WAF rules to block malicious citation redirect payloads; disable the web_search citation feature if not business-critical. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-31989 vulnerability details – vuln.today

Back