OpenClaw versions prior to 2026.3.2 contain a DNS pinning bypass vulnerability in strict URL fetch paths that allows attackers to circumvent SSRF guards when environment proxy variables are configured. When HTTP_PROXY, HTTPS_PROXY, or ALL_PROXY environment variables are present, attacker-influenced URLs can be routed through proxy behavior instead of pinned-destination routing, enabling access to internal targets reachable from the proxy environment.
Attack Parameters
Attack Vector
Network
Can be exploited remotely
Attack Complexity
Low
Easy to exploit
Attack Requirements
Present
Additional conditions required
Privileges Required
Low
Basic privileges needed
User Interaction
None
No user interaction needed
Impact Assessment
Confidentiality
High
Complete data leak
Integrity
Low
Partial data modification
Availability
Low
Partial disruption
CVSS Vector v4.0
Weakness Type (CWE)
Vulnerable Products 1
| Configuration | From (including) | Up to (excluding) |
|---|---|---|
|
Openclaw Openclaw
cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*
|
— |
2026.3.2
|
References 3
https://github.com/openclaw/openclaw/commit/345abf0b2e0f43b0f229e96f252ebf56f1e…
disclosure@vulncheck.com
https://github.com/openclaw/openclaw/security/advisories/GHSA-8mvx-p2r9-r375
disclosure@vulncheck.com
https://www.vulncheck.com/advisories/openclaw-dns-pinning-bypass-via-environmen…
disclosure@vulncheck.com