CVE-2026-28476 OpenClaw — Exploit & Vulnerability Details MEDIUM

Parameter	Value
CVSS	6.3 (MEDIUM)
Affected Versions	before 2026.2.14
Type	CWE-918 (Server-Side Request Forgery (SSRF) (Подделка запросов на стороне сервера))
Vendor	OpenClaw
Public PoC	No

OpenClaw versions prior to 2026.2.14 contain a server-side request forgery vulnerability in the optional Tlon Urbit extension that accepts user-provided base URLs for authentication without proper validation. Attackers who can influence the configured Urbit URL can induce the gateway to make HTTP requests to arbitrary hosts including internal addresses.

Attack Parameters

Attack Vector

Network

Атака возможна удалённо

Attack Complexity

Low

Легко эксплуатировать

Attack Requirements

Present

Нужны дополнительные условия

Privileges Required

None

Права не нужны

User Interaction

None

Не нужно действие пользователя

Impact Assessment

Confidentiality

None

Нет утечки данных

Integrity

Low

Частичная модификация данных

Availability

None

Нет нарушения работы

CVSS Vector v4.0

Weakness Type (CWE)

CWE-918 Server-Side Request Forgery (SSRF) (Подделка запросов на стороне сервера)

References 3

https://github.com/openclaw/openclaw/commit/bfa7d21e997baa8e3437657d59b1e296815…

disclosure@vulncheck.com

https://github.com/openclaw/openclaw/security/advisories/GHSA-pg2v-8xwh-qhcc

disclosure@vulncheck.com

https://www.vulncheck.com/advisories/openclaw-server-side-request-forgery-in-tl…

disclosure@vulncheck.com

Menu

CVE-2026-28476

Attack Parameters

Impact Assessment

CVSS Vector v4.0

Weakness Type (CWE)

References 3

CVE Details

Editor's Choice