Openclaw
CVE-2026-41297
MEDIUM
Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:L/VA:N/SC:H/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:L/VA:N/SC:H/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4Blast Radius
ecosystem impact- 1 npm packages depend on openclaw (1 direct, 0 indirect)
Ecosystem-wide dependent count for version 2026.3.31.
DescriptionCVE.org
OpenClaw before 2026.3.31 contains a server-side request forgery vulnerability in the marketplace plugin download functionality that allows attackers to access internal resources by following unvalidated redirects. The marketplace.ts module fails to restrict redirect destinations during archive downloads, enabling remote attackers to redirect requests to arbitrary internal or external servers.
AnalysisAI
OpenClaw before version 2026.3.31 allows authenticated users to exploit server-side request forgery (SSRF) through unvalidated HTTP redirects in the marketplace plugin download functionality, enabling access to internal resources and potential information disclosure. The marketplace.ts module fails to validate redirect destinations during archive downloads, permitting remote attackers with valid credentials and user interaction to redirect requests to arbitrary internal or external servers. Real-world exploitation is limited by authentication and interaction requirements, keeping the baseline CVSS at 4.8 (medium), though impact depends on network exposure of internal services.
Technical ContextAI
The vulnerability exists in OpenClaw's marketplace.ts module, which handles plugin archive downloads. The root cause is CWE-918 (Server-Side Request Forgery), a class where an application fetches remote resources without validating the destination URL. In this case, the download functionality fails to validate or restrict HTTP redirect destinations (3xx responses), allowing attackers to chain legitimate requests to redirect to attacker-controlled or internal endpoints. The attacker can manipulate the download request to cause the server to fetch content from internal resources (e.g., metadata endpoints, administrative interfaces, or cloud instance metadata services like AWS IMDSv1) that would normally be access-restricted. This differs from typical SSRF attacks because the trigger is an HTTP redirect chain rather than direct URL manipulation, making it a redirect-based SSRF variant often harder to detect in security reviews.
RemediationAI
Upgrade OpenClaw to version 2026.3.31 or later, which includes the fix referenced in GitHub commit 2ce44ca6a1302b166a128abbd78f72114f2f4f52. This patch adds validation to redirect destinations in the marketplace.ts module, restricting downloads to whitelisted or validated hostnames. For organizations unable to immediately patch, implement these compensating controls: (1) restrict network access from the OpenClaw application server to internal resources by implementing egress filtering rules that block outbound connections to private IP ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) and link-local addresses (169.254.0.0/16)-this prevents SSRF to internal systems but may break legitimate integrations with internal artifact repositories; (2) disable or restrict the marketplace plugin feature if not actively used, removing the attack surface entirely; (3) require users to authenticate with additional factors (IP whitelist, VPN) to access marketplace functionality. Consult the official GitHub Security Advisory (GHSA-vjx8-8p7h-82gr) and VulnCheck advisory for detailed patch guidance and any additional mitigations specific to your deployment.
Auth bypass in OpenClaw voice-call extension before 2026.2.1. EPSS 0.68%. PoC and patch available.
Privilege escalation in OpenClaw (pre-2026.3.28) allows unauthenticated remote attackers to gain administrative access b
OpenClaw versions 2026.2.22 through 2026.2.24 contain a privilege escalation vulnerability that allows authenticated att
An authorization mismatch vulnerability in OpenClaw versions prior to 2026.3.1 allows authenticated users with operator.
OpenClaw versions prior to 2026.1.29 automatically establish WebSocket connections to attacker-controlled gateway URLs e
Path traversal in OpenClaw through version 2026.3.23 enables unauthenticated remote attackers to read arbitrary files in
OpenClaw sandbox browser functionality launches x11vnc for noVNC observer sessions without requiring authentication, all
OpenClaw versions before 2026.2.26 allow authenticated attackers to write arbitrary files outside the workspace director
OpenClaw versions prior to 2026.2.22 contain a shell environment variable injection vulnerability in the system.run func
OpenClaw versions prior to 2026.2.22 contain a resource exhaustion vulnerability where the application fails to consiste
OpenClaw versions prior to 2026.3.1 contain a sandbox escape vulnerability that allows authenticated attackers with low
OpenClaw versions 2026.1.30 and below fail to validate Telegram webhook secret tokens when `channels.telegram.webhookSec
Same weakness CWE-918 – Server-Side Request Forgery (SSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today