Platform
nodejs
Component
openclaw
Fixed in
2026.3.28
2026.3.28
CVE-2026-34504 describes a Server-Side Request Forgery (SSRF) vulnerability within the OpenClaw image generation provider. This flaw allows a compromised fal relay to potentially fetch internal URLs and expose metadata or internal service responses through the image pipeline. The vulnerability affects versions of OpenClaw up to and including 2026.3.24, with a fix released in version 2026.3.28.
The primary impact of this SSRF vulnerability lies in the potential for unauthorized access to internal resources. A malicious or compromised fal relay, exploiting this flaw, can initiate requests to internal URLs that would normally be inaccessible from the outside. This could lead to the exposure of sensitive metadata, internal service responses, or other confidential information. The blast radius is limited to the internal network accessible by the fal relay, but the consequences of data exposure could be significant, particularly if the exposed information relates to authentication credentials or sensitive business data. While not directly exploitable for remote code execution, the SSRF could be a stepping stone for further attacks if internal services are vulnerable.
CVE-2026-34504 has been publicly disclosed on 2026-04-01. The vulnerability's CVSS score is LOW (2.5), suggesting a relatively low probability of exploitation. No public proof-of-concept (PoC) code has been publicly released at the time of this writing. It is not currently listed on the CISA KEV catalog. Active exploitation campaigns are not currently known.
Exploit Status
EPSS
0.05% (15% percentile)
CISA SSVC
The recommended mitigation for CVE-2026-34504 is to immediately upgrade OpenClaw to version 2026.3.28 or later. This version includes the fix implemented in commit 80d1e8a11a, which properly guards image fetches against SSRF attacks. If upgrading is not immediately feasible, consider implementing stricter network segmentation to limit the fal relay's access to internal resources. Additionally, review and restrict the permissions granted to the fal relay to minimize the potential impact of a successful SSRF attack. After upgrading, confirm the fix by attempting to access internal URLs through the image generation pipeline and verifying that access is denied.
Update OpenClaw to version 2026.3.28 or later. This corrects the Server-Side Request Forgery (SSRF) vulnerability in the fal provider, preventing attackers from accessing internal URLs through image downloads.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-34504 is a Server-Side Request Forgery (SSRF) vulnerability in OpenClaw's image generation provider, allowing unauthorized access to internal resources.
You are affected if you are using OpenClaw versions 2026.3.24 or earlier. Upgrade to 2026.3.28 or later to mitigate the vulnerability.
Upgrade OpenClaw to version 2026.3.28 or later. This includes the fix implemented in commit 80d1e8a11a.
Currently, there are no reports of active exploitation campaigns targeting CVE-2026-34504.
Refer to the OpenClaw project's official security advisories and release notes for details on CVE-2026-34504 and the corresponding fix.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.