Platform
nodejs
Component
openclaw
Fixed in
2026.2.15
2026.2.14
CVE-2026-26324 describes a Server-Side Request Forgery (SSRF) vulnerability in the OpenClaw Node.js package. This flaw allows attackers to bypass the SSRF protection mechanism by crafting malicious requests using full-form IPv4-mapped IPv6 literals. The vulnerability impacts versions of OpenClaw up to 2026.2.13, and a fix is planned in version 2026.2.14.
The SSRF vulnerability in OpenClaw allows an attacker to send requests to unintended internal or external resources. By bypassing the SSRF guard, attackers can potentially access sensitive data, metadata endpoints, or internal services that should be protected. Specifically, the use of IPv4-mapped IPv6 literals (e.g., 0:0:0:0:0:ffff:7f00:1 representing 127.0.0.1) circumvents the intended filtering logic. This could lead to unauthorized access to loopback addresses, private networks, or link-local metadata, potentially exposing sensitive information or enabling further exploitation within the internal network. While no immediate exploitation is reported, the ease of bypassing the SSRF protection makes this a significant risk.
This vulnerability was publicly disclosed on 2026-02-17. There is currently no indication of active exploitation campaigns targeting this specific vulnerability. The vulnerability is not listed on the CISA KEV catalog at the time of writing. The ease of bypassing the SSRF protection suggests a moderate risk of exploitation if left unaddressed, particularly in environments with exposed internal services.
Exploit Status
EPSS
0.02% (4% percentile)
CISA SSVC
The primary mitigation for CVE-2026-26324 is to upgrade to OpenClaw version 2026.2.14 or later, which includes the fix for the SSRF protection bypass. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) or reverse proxy with strict filtering rules to block requests containing IPv4-mapped IPv6 literals. Additionally, review and strengthen your internal network segmentation to limit the potential blast radius of a successful SSRF attack. Monitor your application logs for unusual outbound requests, particularly those originating from within your internal network. After upgrading, confirm the fix by attempting to send a request using an IPv4-mapped IPv6 literal to a known internal resource; the request should be blocked.
Update OpenClaw to version 2026.2.14 or higher. This version fixes the SSRF vulnerability that allows bypass of protection using IPv4-mapped IPv6 literals.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-26324 is a Server-Side Request Forgery (SSRF) vulnerability in the OpenClaw Node.js package, allowing attackers to bypass SSRF protection using IPv4-mapped IPv6 literals.
Yes, if you are using OpenClaw versions 2026.2.13 or earlier, you are vulnerable to this SSRF bypass.
Upgrade to OpenClaw version 2026.2.14 or later to remediate the vulnerability. Consider WAF rules as a temporary workaround.
There is currently no confirmed active exploitation of CVE-2026-26324, but the ease of bypass suggests a potential risk.
Refer to the OpenClaw project's official repository and release notes for the advisory and details on the fix.
CVSS Vector
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.