Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
AC:H reflects AT:P from the 4.0 vector, requiring specific metadata control conditions; PR:L matches confirmed low-privilege requirement; C:H for Gateway token theft.
Primary rating from Vendor (VulnCheck).
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2Blast Radius
ecosystem impact- 2 npm packages depend on openclaw (2 direct, 0 indirect)
Ecosystem-wide dependent count for version 2026.5.2.
DescriptionCVE.org
OpenClaw before 2026.5.2 contains a credential exposure vulnerability in message.action forwarding that allows model-controlled metadata to forward action payloads with Gateway credentials to attacker-supplied loopback URLs. Remote attackers can intercept Gateway tokens and action payloads by providing malicious loopback targets through model-controlled action metadata.
AnalysisAI
Credential exposure via SSRF in OpenClaw's message.action forwarding allows authenticated remote attackers to redirect Gateway token-bearing action payloads to attacker-supplied loopback URLs, resulting in full confidentiality compromise of Gateway credentials. Affected versions are all OpenClaw releases prior to 2026.5.2; the flaw is rooted in insufficient validation of model-controlled metadata that governs action routing. No public exploit code has been identified and this CVE is not listed in the CISA KEV catalog at time of analysis, though the Gateway credential theft impact warrants prompt patching in any deployment where OpenClaw interacts with privileged backend services.
Technical ContextAI
CWE-918 (Server-Side Request Forgery) describes the root cause: the application makes outbound HTTP requests to a URL that is wholly or partially controlled by user- or model-supplied input without adequate allow-listing or validation. In OpenClaw, the message.action forwarding subsystem accepts model-controlled metadata that specifies where action payloads should be forwarded. Because the application does not sanitize or restrict the destination URLs within that metadata, an attacker who can inject or manipulate the metadata can redirect the forwarding to an arbitrary loopback address they control. The forwarded payload includes Gateway credentials (tokens), so the receiving endpoint captures live authentication material. The affected CPE is cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:*:*:* covering all versions before 2026.5.2. This pattern is common in AI-adjacent platforms where model outputs or metadata are trusted to drive internal orchestration calls without sufficient output sanitization.
RemediationAI
The primary fix is to upgrade to OpenClaw 2026.5.2 or later, which resolves the credential forwarding flaw per the vendor advisory at https://github.com/openclaw/openclaw/security/advisories/GHSA-grc3-2j34-p6gm. If an immediate upgrade is not feasible, restrict which identities or roles can supply or modify model-controlled metadata in the message.action pipeline, since the attack depends on an attacker being able to inject a malicious loopback URL into that metadata; this reduces the PR:L surface but does not eliminate the underlying SSRF flaw. Additionally, enforce an explicit allowlist of valid forwarding destinations at the network or application layer to block requests to unexpected loopback addresses, which would prevent credential exfiltration even if malicious metadata is supplied. Rotate any Gateway tokens that may have been exposed in environments running vulnerable versions before the patch is applied, as stolen credentials remain valid regardless of patching.
Auth bypass in OpenClaw voice-call extension before 2026.2.1. EPSS 0.68%. PoC and patch available.
Privilege escalation in OpenClaw (pre-2026.3.28) allows unauthenticated remote attackers to gain administrative access b
OpenClaw versions 2026.2.22 through 2026.2.24 contain a privilege escalation vulnerability that allows authenticated att
An authorization mismatch vulnerability in OpenClaw versions prior to 2026.3.1 allows authenticated users with operator.
OpenClaw versions prior to 2026.1.29 automatically establish WebSocket connections to attacker-controlled gateway URLs e
Path traversal in OpenClaw through version 2026.3.23 enables unauthenticated remote attackers to read arbitrary files in
OpenClaw sandbox browser functionality launches x11vnc for noVNC observer sessions without requiring authentication, all
OpenClaw versions before 2026.2.26 allow authenticated attackers to write arbitrary files outside the workspace director
OpenClaw versions prior to 2026.2.22 contain a shell environment variable injection vulnerability in the system.run func
OpenClaw versions prior to 2026.2.22 contain a resource exhaustion vulnerability where the application fails to consiste
OpenClaw versions prior to 2026.3.1 contain a sandbox escape vulnerability that allows authenticated attackers with low
OpenClaw versions 2026.1.30 and below fail to validate Telegram webhook secret tokens when `channels.telegram.webhookSec
Same weakness CWE-918 – Server-Side Request Forgery (SSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36615
GHSA-5hj8-2w5c-mmpr