Platform
nodejs
Component
openclaw
Fixed in
2026.2.14
2026.2.14
CVE-2026-28476 describes a server-side request forgery (SSRF) vulnerability in OpenClaw, specifically within the optional Tlon (Urbit) extension. This flaw allows an attacker, under specific conditions, to manipulate the gateway into making HTTP requests to arbitrary destinations, including internal network addresses. The vulnerability impacts OpenClaw versions 0 through 2026.2.14, and a fix is available in version 2026.2.14.
The SSRF vulnerability arises from the Tlon (Urbit) extension's acceptance of a user-provided base URL for authentication. If an attacker can influence this configured Urbit URL, they can trick the OpenClaw gateway into sending HTTP requests to hosts of their choosing. This could lead to unauthorized access to internal services, data exfiltration, or even exploitation of other vulnerabilities within the internal network. The blast radius is limited to deployments utilizing the Tlon extension and where the attacker can control the Urbit URL configuration. Successful exploitation requires both the extension to be installed and configured, and the ability to manipulate the base URL used for authentication.
This vulnerability was publicly disclosed on March 5, 2026. There is no indication of active exploitation at this time, nor are there any publicly available proof-of-concept exploits. The vulnerability is not currently listed on the CISA KEV catalog. The SSRF nature of the vulnerability suggests a potentially low to medium probability of exploitation, depending on the prevalence of the Tlon extension and the security posture of the affected deployments.
Exploit Status
EPSS
0.07% (22% percentile)
CISA SSVC
The primary mitigation for CVE-2026-28476 is to upgrade OpenClaw to version 2026.2.14 or later, which includes the fix for this SSRF vulnerability. If an immediate upgrade is not feasible, consider disabling the Tlon (Urbit) extension entirely, as this eliminates the attack surface. As a temporary workaround, restrict network access from the OpenClaw gateway to only necessary external resources using firewall rules or a proxy server. Regularly review and validate the configuration of the Tlon extension to ensure that the base URL is not susceptible to manipulation.
Update OpenClaw to version 2026.2.14 or later. This version fixes the Server-Side Request Forgery (SSRF) vulnerability in the Tlon Urbit extension by correctly validating user-provided URLs for authentication.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-28476 is a server-side request forgery vulnerability in OpenClaw's Tlon (Urbit) extension, allowing attackers to make HTTP requests to arbitrary destinations.
You are affected if you are using OpenClaw versions 0–2026.2.14 and have the Tlon (Urbit) extension installed and configured.
Upgrade OpenClaw to version 2026.2.14 or later. Alternatively, disable the Tlon (Urbit) extension if an upgrade is not immediately possible.
There is currently no evidence of active exploitation, and no public proof-of-concept exploits are available.
Refer to the OpenClaw project's official security advisories for the most up-to-date information and guidance.
CVSS Vector
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.