OpenClaw CVE-2026-41302

MEDIUM
Server-Side Request Forgery (SSRF) (CWE-918)
2026-04-21 [email protected]
SSRF
4.8
CVSS 4.0
Share

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:L/VA:N/SC:H/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
P
Scope
X

Lifecycle Timeline

1
Analysis Generated
Apr 21, 2026 - 00:40 vuln.today

DescriptionNVD

OpenClaw before 2026.3.31 contains a server-side request forgery vulnerability in the marketplace plugin download functionality that allows remote attackers to make arbitrary network requests. Attackers can exploit unguarded fetch() calls to access internal resources or interact with external services on behalf of the affected system.

AnalysisAI

OpenClaw before version 2026.3.31 contains a server-side request forgery (SSRF) vulnerability in the marketplace plugin download functionality, where unguarded fetch() calls allow authenticated users with user interaction to make arbitrary network requests on behalf of the affected system. Remote attackers can access internal resources or interact with external services, potentially disclosing sensitive data or compromising internal infrastructure; no public exploit code or active exploitation has been identified at time of analysis.

Sign in for full analysis, threat intelligence, and remediation guidance.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

Share

CVE-2026-41302 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy