OpenClaw, an npm package handling channel extensions for integrations, ships with a critical SSRF vulnerability in versions up to 2026.3.24. Attackers can exploit unguarded fetch() calls in multiple extensions to force servers into requesting internal resources or bypassing network controls. This stems from an incomplete fix for CVE-2026-28476, leaving some code paths exposed.
SSRF, or Server-Side Request Forgery, tops the OWASP list for good reason: it turns your server into an attacker’s proxy. In cloud setups like AWS or GCP, exploits hit metadata endpoints—think 169.254.169.254—dumping IAM credentials, instance details, or service tokens. For OpenClaw users building API gateways or multi-channel apps, this means potential data leaks or lateral movement inside networks.
Vulnerability Breakdown
Several channel extensions directly invoke raw fetch() against user-configured base URLs. The prior patch for CVE-2026-28476 added an SSRF guard via fetchWithSsrFGuard, but developers overlooked routing these extensions through it. Attackers supply malicious URLs rebounding to localhost, internal IPs, or blocklisted domains.
Verification confirms the issue on tag v2026.3.24: extensions bypass guards, succeeding in SSRF tests. The fix lands in commit f92c92515bd439a71bd03eb1bc969c1964f17acf, now on main, which funnels all outbound requests through the guarded function. First patched release: 2026.3.25.
OpenClaw’s role amplifies risks. If integrated into Node.js apps for Slack, Discord, or custom webhooks—common “channel” use cases—misconfigurations let remote users control fetch targets. No auth checks on configs? Instant exploit vector via tainted inputs.
Why This Matters and What to Do
Partial fixes like this erode trust. CVE-2026-28476 promised resolution, yet tag 2026.3.24—the latest published at advisory time—stays vulnerable. Teams deploying tagged releases ate the hit. Implications extend beyond leaks: chained with RCE or auth bypasses, attackers pivot to databases or admin panels.
Scan your deps: npm ls openclaw. If <=2026.3.24, upgrade immediately to 2026.3.25+. Verify post-upgrade:
npm install openclaw@latest
npm ls openclaw # Confirm version
Audit configs too—lock base URLs to trusted domains. Implement network-level blocks on metadata IPs. Tools like npm audit miss this without the CVE update, so manually grep for fetch in extensions.
Skeptically, OpenClaw’s maintainers moved fast on the commit, but release lag exposed users. Future versions must bake in static analysis for fetch patterns. For high-traffic services, SSRF isn’t hypothetical: past breaches like Capital One (2019) pivoted via similar flaws, costing millions. Act now—your internal network thanks you.
Broader context: npm’s ecosystem churns 2M+ packages weekly, with SSRF in 1-2% of advisories per Snyk data. OpenClaw, niche but integrable, underscores auditing transitive deps. If you’re forking or extending, patch upstream commits directly.
