Severity by source
CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
OpenClaw before 2026.4.10 contains a server-side request forgery vulnerability in browser navigation policy that allows attackers to bypass hostname validation through DNS rebinding attacks. Attackers can exploit inconsistent hostname resolution between validation and actual network requests to pivot to internal resources via unallowlisted hostname URLs.
AnalysisAI
Server-side request forgery in OpenClaw browser navigation policy before version 2026.4.10 allows authenticated attackers to bypass hostname validation through DNS rebinding attacks, enabling pivots to internal network resources via unallowlisted hostnames. The vulnerability exploits inconsistent hostname resolution between validation checks and actual network requests made by the Chromium engine, with fix confirmed in upstream commit 121c452d and released in version 2026.4.10.
Technical ContextAI
OpenClaw's browser module implements hostname validation within its SSRF protection layer (resolvePinnedHostnameWithPolicy function in ssrf.js) to enforce restrictive navigation policy when dangerouslyAllowPrivateNetwork is disabled. The root cause (CWE-367: improper validation of TOCTOU race condition) stems from validating a hostname resolution result at one point in time while Chromium's network layer performs DNS lookup again later, allowing attackers to use DNS rebinding techniques to change the IP address between validation and actual connection. The fix (PR #64367) refactors CDP HTTP discovery to route through a guarded fetch path (fetchWithSsrFGuard) and enforces that unallowlisted hostnames must fail closed under strict policy, eliminating the time-of-check-time-of-use gap. The vulnerability affects the browser extension's CDP (Chrome DevTools Protocol) endpoint validation and navigation policy enforcement.
RemediationAI
Upgrade OpenClaw to version 2026.4.10 or later immediately; the latest stable release 2026.4.14 includes the fix. For organizations unable to upgrade immediately, disable browser navigation to non-allowlisted hostnames by maintaining strict SSRF policy enforcement and reviewing the dangerouslyAllowPrivateNetwork configuration flag to ensure it is set to false (default). Restrict OpenClaw process network access at the firewall level to approved internal resources only, reducing the effective pivot scope even if DNS rebinding succeeds. Review and update any DNS resolver configurations used by OpenClaw to implement query validation techniques such as DNS response validation or DoH (DNS over HTTPS) to mitigate DNS spoofing attacks. The upstream fix (commit 121c452d, PR #64367) refactors the validation logic to enforce fail-closed behavior for unallowlisted hostnames and routes CDP HTTP discovery through a pinned SSRF fetch path; verify these changes are present in your deployed version via checking the cdp.helpers.ts file for the fetchWithSsrFGuard call pattern. No workarounds are available for versions prior to 2026.4.10 that fully mitigate the vulnerability; patching is mandatory for production use.
Auth bypass in OpenClaw voice-call extension before 2026.2.1. EPSS 0.68%. PoC and patch available.
Privilege escalation in OpenClaw (pre-2026.3.28) allows unauthenticated remote attackers to gain administrative access b
OpenClaw versions 2026.2.22 through 2026.2.24 contain a privilege escalation vulnerability that allows authenticated att
An authorization mismatch vulnerability in OpenClaw versions prior to 2026.3.1 allows authenticated users with operator.
OpenClaw versions prior to 2026.1.29 automatically establish WebSocket connections to attacker-controlled gateway URLs e
Path traversal in OpenClaw through version 2026.3.23 enables unauthenticated remote attackers to read arbitrary files in
OpenClaw sandbox browser functionality launches x11vnc for noVNC observer sessions without requiring authentication, all
OpenClaw versions before 2026.2.26 allow authenticated attackers to write arbitrary files outside the workspace director
OpenClaw versions prior to 2026.2.22 contain a shell environment variable injection vulnerability in the system.run func
OpenClaw versions prior to 2026.2.22 contain a resource exhaustion vulnerability where the application fails to consiste
OpenClaw versions prior to 2026.3.1 contain a sandbox escape vulnerability that allows authenticated attackers with low
OpenClaw versions 2026.1.30 and below fail to validate Telegram webhook secret tokens when `channels.telegram.webhookSec
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-28176