Is there a public PoC exploit available for CVE-2026-6011?

Yes, a public proof-of-concept exploit is available for CVE-2026-6011. Prioritise patching immediately. EPSS: 0.0%.

Is there a patch available for CVE-2026-6011?

Yes, a patch is available for CVE-2026-6011. Update the affected software to the latest version immediately.

OpenClaw CVE-2026-6011

Q: What is the CVSS score of CVE-2026-6011?

CVE-2026-6011 has a CVSS 4.0 base score of 2.9 (Low). CVSS vector: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

EUVD-2026-21306 LOW

Server-Side Request Forgery (SSRF) (CWE-918)

2026-04-10 VulDB

GHSA-52vj-fvrv-7q82

SSRF

2.9

CVSS 4.0

CVSS VectorNVD

CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Lifecycle Timeline

Severity Changed

Apr 29, 2026 - 01:11 NVD

MEDIUM LOW

CVSS changed

Apr 29, 2026 - 01:11 NVD

6.3 (MEDIUM) 2.9 (LOW)

PoC Detected

Apr 10, 2026 - 05:16 vuln.today

Public exploit code

EUVD ID Assigned

Apr 10, 2026 - 04:45 euvd

EUVD-2026-21306

Analysis Generated

Apr 10, 2026 - 04:45 vuln.today

Patch released

Apr 10, 2026 - 04:45 nvd

Patch available

CVE Published

Apr 10, 2026 - 03:45 nvd

MEDIUM 6.3

DescriptionNVD

A weakness has been identified in OpenClaw up to 2026.1.26. Affected by this issue is some unknown functionality of the file src/agents/tools/web-fetch.ts of the component assertPublicHostname Handler. Executing a manipulation can lead to server-side request forgery. The attack can be executed remotely. This attack is characterized by high complexity. The exploitation is known to be difficult. The exploit has been made available to the public and could be used for attacks. Upgrading to version 2026.1.29 can resolve this issue. This patch is called b623557a2ec7e271bda003eb3ac33fbb2e218505. Upgrading the affected component is advised.

AnalysisAI

Server-side request forgery (SSRF) in OpenClaw's assertPublicHostname handler (src/agents/tools/web-fetch.ts) allows remote attackers to craft requests that bypass hostname validation and reach internal or restricted systems. Affected versions up to 2026.1.26 are vulnerable; the attack requires high complexity but publicly available exploit code exists. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-6011 vulnerability details – vuln.today

Back