Plattform
nodejs
Komponente
openclaw
Behoben in
2026.3.28
2026.3.28
CVE-2026-34504 describes a Server-Side Request Forgery (SSRF) vulnerability within the OpenClaw image generation provider. This flaw allows a compromised fal relay to potentially fetch internal URLs and expose sensitive metadata or internal service responses through the image pipeline. The vulnerability affects versions of OpenClaw up to and including 2026.3.24, and has been resolved in version 2026.3.28.
The SSRF vulnerability in OpenClaw's image generation provider allows an attacker who has compromised a fal relay to initiate requests to internal resources that are normally inaccessible from the outside. This could lead to the exposure of sensitive data, such as internal service responses or metadata. An attacker could potentially leverage this to map the internal network, identify other services, or even gain access to protected resources. The impact is amplified if the internal services exposed contain sensitive information or are critical to the application's functionality. While the CVSS score is LOW, the potential for data exposure and internal reconnaissance warrants prompt remediation.
CVE-2026-34504 was publicly disclosed on April 1, 2026. The vulnerability's impact is limited by the requirement of a compromised fal relay, which may require initial access to the OpenClaw environment. No public proof-of-concept exploits have been identified as of this writing. The vulnerability is not currently listed on the CISA KEV catalog. The LOW CVSS score reflects the relatively limited scope of potential exploitation.
Organizations utilizing OpenClaw for image generation and processing are at risk, particularly those with complex internal network architectures or those who have not implemented robust network segmentation. Environments where the fal relay has broad access to internal services are at higher risk. Shared hosting environments using OpenClaw should be especially vigilant.
• nodejs / server:
journalctl -u openclaw | grep -i "fal provider" -i "image fetch"• generic web:
curl -I <openclaw_endpoint> | grep -i "X-Powered-By"• generic web:
grep -r "fal: guard image fetches" /path/to/openclaw/source/codedisclosure
Exploit-Status
EPSS
0.05% (15% Perzentil)
CISA SSVC
The primary mitigation for CVE-2026-34504 is to upgrade OpenClaw to version 2026.3.28 or later. This version includes a fix that guards image fetches, preventing the SSRF vulnerability. If upgrading is not immediately feasible, consider implementing temporary workarounds such as restricting outbound network access from the fal relay to only necessary destinations. Review and tighten access controls for internal services that might be exposed through the image pipeline. Monitor network traffic for unusual outbound requests originating from the fal relay. After upgrading, confirm the fix by attempting to trigger an image fetch with an internal URL and verifying that the request is properly blocked.
Aktualisieren Sie OpenClaw auf Version 2026.3.28 oder höher. Dies behebt die Server-Side Request Forgery (SSRF)-Schwachstelle im fal provider und verhindert, dass Angreifer über den Bilddownload auf interne URLs zugreifen können.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-34504 is a Server-Side Request Forgery (SSRF) vulnerability in OpenClaw's image generation provider, allowing unauthorized access to internal resources.
You are affected if you are using OpenClaw versions 2026.3.24 or earlier. Upgrade to 2026.3.28 or later to mitigate the vulnerability.
Upgrade OpenClaw to version 2026.3.28 or later. This includes the fix implemented in commit 80d1e8a11a.
Currently, there are no reports of active exploitation campaigns targeting CVE-2026-34504.
Refer to the OpenClaw project's official security advisories and release notes for details on CVE-2026-34504 and the corresponding fix.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.