Plattform
nodejs
Komponente
openclaw
Behoben in
2026.3.25
2026.3.28
CVE-2026-35629 describes a Server-Side Request Forgery (SSRF) vulnerability discovered in the openclaw Node.js package. This flaw allows attackers to potentially access internal resources by manipulating configured base URLs, representing an incomplete fix for a prior vulnerability (CVE-2026-28476). Versions of openclaw up to and including 2026.3.24 are affected, with a fix released in version 2026.3.25.
The SSRF vulnerability in openclaw allows an attacker to craft malicious requests that originate from the server itself, bypassing normal network security controls. This can lead to unauthorized access to internal services, data, or resources that are not directly accessible from the outside world. An attacker could potentially scan internal networks, access sensitive configuration files, or even interact with internal APIs. The impact is amplified by the fact that this vulnerability is an incomplete fix for CVE-2026-28476, suggesting that other SSRF vectors might still exist within the package.
CVE-2026-35629 was publicly disclosed on 2026-03-29. The vulnerability's severity is rated as HIGH (CVSS 7.5). As of this writing, there are no known public proof-of-concept exploits available. It is not currently listed on the CISA KEV catalog. The incomplete nature of the fix for CVE-2026-28476 suggests that attackers might be actively investigating this vulnerability.
Applications utilizing the openclaw Node.js package in their backend infrastructure are at risk. This includes projects relying on openclaw for channel extension functionality, particularly those with configurations allowing for flexible base URL settings. Shared hosting environments where openclaw is installed and configured by the hosting provider are also potentially vulnerable.
• nodejs / server:
npm list openclawThis command will list installed versions of openclaw. Check if the version is <= 2026.3.24. • nodejs / server:
grep -r 'fetchWithSsrFGuard' ./node_modules/openclaw/Search for the fetchWithSsrFGuard function within the openclaw module. Its presence indicates the fix is applied.
• generic web:
Review application logs for unusual outbound requests originating from the server, especially those targeting internal IP addresses or sensitive internal endpoints.
disclosure
Exploit-Status
EPSS
0.04% (12% Perzentil)
CISA SSVC
The primary mitigation for CVE-2026-35629 is to immediately upgrade the openclaw package to version 2026.3.28 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing a Web Application Firewall (WAF) or proxy to filter outbound requests and block those targeting internal resources. Specifically, configure the WAF to deny requests with internal IP addresses or those attempting to access sensitive internal endpoints. Additionally, review and restrict the configured base URLs within the openclaw package to only allow trusted and necessary domains. After upgrading, confirm the fix by attempting to trigger the SSRF vulnerability with a known malicious URL and verifying that the request is blocked.
Actualice OpenClaw a la versión 2026.3.25 o superior para mitigar la vulnerabilidad de falsificación de solicitudes del lado del servidor (SSRF). Esta actualización corrige las llamadas fetch() sin protección en las extensiones de canal, previniendo el acceso no autorizado a recursos restringidos.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-35629 is a HIGH severity Server-Side Request Forgery (SSRF) vulnerability in the openclaw Node.js package, allowing attackers to access internal resources.
Yes, if you are using openclaw versions 2026.3.24 or earlier, you are affected by this SSRF vulnerability.
Upgrade openclaw to version 2026.3.28 or later. Consider WAF rules to restrict outbound requests as a temporary workaround.
As of now, there are no confirmed reports of active exploitation, but the vulnerability is being actively investigated.
Refer to the openclaw project's repository and associated security advisories for the latest information: [https://github.com/openclaw/openclaw](https://github.com/openclaw/openclaw)
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.