Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4Blast Radius
ecosystem impact- 3 npm packages depend on openclaw (3 direct, 0 indirect)
Ecosystem-wide dependent count for version 2026.3.28.
DescriptionCVE.org
OpenClaw before 2026.3.28 contains a server-side request forgery vulnerability in the fal provider image-generation-provider.ts component that allows attackers to fetch internal URLs. A malicious or compromised fal relay can exploit unguarded image download fetches to expose internal service metadata and responses through the image pipeline.
AnalysisAI
Server-side request forgery in OpenClaw before 2026.3.28 allows unauthenticated remote attackers to fetch internal URLs through unguarded image download operations in the fal provider image-generation-provider.ts component, enabling exposure of internal service metadata and responses via the image pipeline. CVSS 5.3 indicates moderate integrity impact without authentication requirements. No public exploit code or active exploitation confirmed at time of analysis.
Technical ContextAI
OpenClaw's fal relay provider component implements image generation and download functionality via the image-generation-provider.ts module. The vulnerability stems from insufficient validation of URLs passed to image fetch operations (CWE-918: Server-Side Request Forgery), allowing an attacker to manipulate the relay into requesting arbitrary internal URLs. The fal relay-either malicious or compromised-can leverage these unguarded fetch calls to access internal service endpoints that would normally be restricted to local/trusted clients. The SSRF originates in the image pipeline's handling of download requests, where URL validation is absent or insufficient, permitting attackers to reach internal metadata services, private APIs, or configuration endpoints.
RemediationAI
Upgrade to OpenClaw 2026.3.28 or later, which includes the patch committed at 80d1e8a11a2ac118c7f7a70bba9c862b6141d928. Vendor advisory details are available at https://github.com/openclaw/openclaw/security/advisories/GHSA-qxgf-hmcj-3xw3. For deployment environments unable to upgrade immediately, implement network-level controls to restrict outbound connections from OpenClaw fal relay instances to known-safe internal service endpoints, and validate all URLs passed to image download operations to prevent SSRF attacks. Comprehensive patch and advisory information is available via VulnCheck at https://www.vulncheck.com/advisories/openclaw-server-side-request-forgery-via-unguarded-image-download-in-fal-provider.
Auth bypass in OpenClaw voice-call extension before 2026.2.1. EPSS 0.68%. PoC and patch available.
Privilege escalation in OpenClaw (pre-2026.3.28) allows unauthenticated remote attackers to gain administrative access b
OpenClaw versions 2026.2.22 through 2026.2.24 contain a privilege escalation vulnerability that allows authenticated att
An authorization mismatch vulnerability in OpenClaw versions prior to 2026.3.1 allows authenticated users with operator.
OpenClaw versions prior to 2026.1.29 automatically establish WebSocket connections to attacker-controlled gateway URLs e
Path traversal in OpenClaw through version 2026.3.23 enables unauthenticated remote attackers to read arbitrary files in
OpenClaw sandbox browser functionality launches x11vnc for noVNC observer sessions without requiring authentication, all
OpenClaw versions before 2026.2.26 allow authenticated attackers to write arbitrary files outside the workspace director
OpenClaw versions prior to 2026.2.22 contain a shell environment variable injection vulnerability in the system.run func
OpenClaw versions prior to 2026.2.22 contain a resource exhaustion vulnerability where the application fails to consiste
OpenClaw versions prior to 2026.3.1 contain a sandbox escape vulnerability that allows authenticated attackers with low
OpenClaw versions 2026.1.30 and below fail to validate Telegram webhook secret tokens when `channels.telegram.webhookSec
Same weakness CWE-918 – Server-Side Request Forgery (SSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-17471