Platform
nodejs
Component
openclaw
Fixed in
2026.2.15
2026.2.14
CVE-2026-26322 describes a vulnerability in the OpenClaw tool where the gatewayUrl parameter is not sufficiently restricted. This allows a malicious actor to dictate the target of outbound WebSocket connections initiated by the OpenClaw host. The vulnerability affects versions of OpenClaw up to 2026.2.13, and a patch is planned for version 2026.2.14.
The primary impact of CVE-2026-26322 is the potential for unauthorized outbound network connections. An attacker who can influence the gatewayUrl parameter can redirect OpenClaw's WebSocket connections to malicious servers, potentially exfiltrating sensitive data or establishing a command-and-control channel. This could lead to data breaches, system compromise, and further malicious activity. The ability to control outbound connections bypasses typical network segmentation and security controls, significantly expanding the attack surface.
CVE-2026-26322 was publicly disclosed on 2026-02-17. There is no indication of active exploitation or KEV listing at the time of writing. Public proof-of-concept code is not currently available, but the vulnerability's nature suggests a relatively low barrier to exploitation once a suitable attack vector is identified.
Exploit Status
EPSS
0.02% (4% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-26322 is to upgrade to OpenClaw version 2026.2.14 or later, which addresses the insufficient input validation. If upgrading is not immediately feasible, consider implementing strict network egress filtering rules to block outbound WebSocket connections to untrusted destinations. Monitor network traffic for unusual WebSocket connections originating from OpenClaw processes. Review and restrict access to tools that accept and process the gatewayUrl parameter, limiting it to trusted operators and automation.
Update OpenClaw to version 2026.2.14 or later. This version restricts tool-supplied `gatewayUrl` values to loopback or the configured `gateway.remote.url`, rejecting disallowed protocols, credentials, query/hash, and non-root paths.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-26322 is a HIGH severity vulnerability in OpenClaw versions <= 2026.2.13 that allows attackers to control outbound WebSocket connections by manipulating the gatewayUrl parameter.
You are affected if you are using OpenClaw version 2026.2.13 or earlier. Check your installed version and upgrade as soon as possible.
Upgrade OpenClaw to version 2026.2.14 or later. As a temporary workaround, restrict outbound WebSocket connections to trusted destinations.
There is currently no evidence of active exploitation, but the vulnerability's nature makes it a potential target.
Refer to the OpenClaw project's official channels (e.g., GitHub repository, npm package page) for the latest advisory and security updates.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.