Platform
nodejs
Component
openclaw
Fixed in
2026.2.22
2026.2.22
CVE-2026-32019 describes a Server-Side Request Forgery (SSRF) vulnerability discovered in the OpenClaw Node.js package. This flaw allows attackers to bypass the intended SSRF protection mechanisms and potentially access internal resources or services within special-use IPv4 ranges. Versions of OpenClaw prior to 2026.2.22 are affected, and a patch has been released to address the issue.
The SSRF vulnerability in OpenClaw arises from a flaw in the isPrivateIpv4() function within the bundled SSRF guard code. This function incorrectly identified several IPv4 special-use and non-global ranges, allowing webfetch to target them despite the SSRF policy. Successful exploitation requires the attacker to have network reachability to these ranges and craft a request path that triggers the webfetch URL fetching functionality. While the severity is rated as HIGH, the exploitation is somewhat constrained by these requirements, making it less likely to be a widespread, easily exploitable issue.
CVE-2026-32019 was publicly disclosed on 2026-03-19. There is no indication of active exploitation campaigns or public proof-of-concept (POC) code available at this time. The vulnerability is not currently listed on the CISA KEV catalog. The EPSS score is likely to be low given the lack of public exploits and the specific network reachability requirement for exploitation.
Exploit Status
EPSS
0.05% (15% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-32019 is to upgrade the OpenClaw package to version 2026.2.22 or later. This patched version includes a corrected isPrivateIpv4() function that accurately blocks the vulnerable IPv4 ranges. If an immediate upgrade is not feasible due to compatibility concerns or breaking changes, consider implementing a Web Application Firewall (WAF) rule to block requests to known special-use IPv4 ranges. Additionally, carefully review and restrict the allowed domains and protocols for web_fetch to minimize the potential attack surface. After upgrading, confirm the fix by attempting to access a known special-use IPv4 address through the OpenClaw package and verifying that the request is blocked.
Update the OpenClaw library to version 2026.2.22 or later. This version corrects the incomplete validation of special IPv4 ranges, preventing SSRF attacks that could access blocked addresses.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-32019 is a HIGH severity SSRF vulnerability affecting the OpenClaw Node.js package, allowing attackers to bypass SSRF policies and potentially access internal resources.
You are affected if you are using OpenClaw versions 2026.2.21-2 or earlier. Check your project dependencies to determine if you are using a vulnerable version.
Upgrade the OpenClaw package to version 2026.2.22 or later. Consider WAF rules as a temporary workaround if immediate upgrade is not possible.
There is currently no evidence of active exploitation or public proof-of-concept code available for CVE-2026-32019.
Refer to the OpenClaw project's official advisory for detailed information and updates: [https://github.com/openclaw/openclaw/security/advisories/GHSA-xxxx-xxxx-xxxx](replace with actual advisory link)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.