OpenClaw fixed a server-side request forgery (SSRF) flaw in its IP classifier on March 28, 2026, via version 2026.3.28. The bug let attackers target four overlooked IPv6 special-use address ranges—treated incorrectly as public routable IPs. If you run affected versions up to 2026.3.24, update immediately. This closes a gap that could expose internal IPv6 networks in cloud or hybrid setups.
The Vulnerability Breakdown
OpenClaw’s SSRF guard, in files like src/shared/net/ip.ts and src/infra/net/ssrf.*, checks URLs before fetching. It blocks private IPv4 ranges like 192.168.0.0/16 or 10.0.0.0/8. But for IPv6, it missed key special-use blocks defined in RFC 6890 and updates. Attackers supplying a malicious URL could bypass this, forcing OpenClaw to connect to non-routable IPv6 destinations.
Which ranges? The commit d61f8e5672 (“Net: block missing IPv6 special-use ranges”) adds checks for at least four: likely including link-local (fe80::/10), unique local addresses (ULA, fc00::/7), documentation (2001:db8::/32), and possibly discard (100::/64) or Teredo (2001::/32). Exact list isn’t public in the advisory, but these are common misses in SSRF parsers. IPv6’s vast space (2^128 addresses) makes exhaustive checks tricky; libraries often lag on edge cases.
Proof-of-concept is straightforward. An attacker controls a fetched URL—say, via user input in a web proxy or AI infra tool. They craft http://[fe80::1%en0]/internal. Without zone ID handling, it probes link-local services. OpenClaw proceeded, as its classifier deemed these “public.”
Real-World Impact
CVSS isn’t scored, but tagged [LOW]—fair, given SSRF needs URL control, common in parsers or fetchers. Why does it matter? IPv6 adoption surges: AWS, GCP, Azure default to dual-stack. Internal services run on ULAs (fdxx::/48) or link-local for metadata (IMDSv2-like at fe80::). An SSRF hit fetches sensitive configs, databases, or pivots to lateral movement.
Consider Tencent’s AI-Infra-Guard context—reporter @nicky-cc flagged it. OpenClaw likely powers AI workloads, scraping or validating external data. Exploit chain: poisoned input → SSRF to internal IPv6 endpoint → data exfil or RCE if ports open. No public exploits yet, but automated scanners like Nuclei add SSRF modules weekly.
Broader lesson: IPv6 breaks old IPv4 assumptions. Private IPv4 is tiny (18M addresses); IPv6 specials span billions. Tools like ip6addr or custom regex falter on ::1/128 (loopback) or ::ffff:0:0/96 (IPv4-mapped). OpenClaw’s miss highlights library gaps—Node.js net.isIP() doesn’t flag specials fully.
Test your stack. Run
$ curl -I "http://[fc00::1]/"—should 403 in hardened apps. In dual-stack clouds, 30% of breaches involve misconfigs per Cloudflare 2024 reports. This bug amplifies that.
Fix, Response, and Next Steps
Upgrade to 2026.3.28 or later. Commit d61f8e5672 expands the blocklist. OpenClaw credits @nicky-cc promptly—good disclosure via Tencent Zhuque Lab. No zero-day exploitation reported, but patch proactively.
Skeptical take: [LOW] underrates cloud risks. SSRF topped OWASP Top 10 (A10:2021); IPv6 variants rise 40% in honeypots (Shadowserver Q1 2026). Audit your SSRF guards:
// Example Node.js check - extend for IPv6 specials
const specialIPv6 = [
'::1/128',
'fe80::/10',
'fc00::/7',
'2001:db8::/32',
// Add more from RFC 6890
];
function isPrivateIPv6(ip) {
return specialIPv6.some(range => ip6addr.parseCIDR(range).contains(ip6addr.parse(ip)));
}
Enable IPv6 firewalls (ip6tables -A INPUT -s fc00::/7 -j DROP). Monitor fetches with tools like Falco. OpenClaw’s quick fix sets a standard—watch for regressions in 2026.3.x.
Bottom line: IPv6 security lags. This patch plugs one hole; assume others lurk. If OpenClaw runs prod infra, segment IPv6 networks now.
