Platform
nodejs
Component
openclaw
Fixed in
2026.3.25
2026.3.28
CVE-2026-35629 describes a Server-Side Request Forgery (SSRF) vulnerability discovered in the openclaw Node.js package. This flaw allows attackers to potentially access internal resources by manipulating configured base URLs, representing an incomplete fix for a prior vulnerability (CVE-2026-28476). Versions of openclaw up to and including 2026.3.24 are affected, with a fix released in version 2026.3.25.
The SSRF vulnerability in openclaw allows an attacker to craft malicious requests that originate from the server itself, bypassing normal network security controls. This can lead to unauthorized access to internal services, data, or resources that are not directly accessible from the outside world. An attacker could potentially scan internal networks, access sensitive configuration files, or even interact with internal APIs. The impact is amplified by the fact that this vulnerability is an incomplete fix for CVE-2026-28476, suggesting that other SSRF vectors might still exist within the package.
CVE-2026-35629 was publicly disclosed on 2026-03-29. The vulnerability's severity is rated as HIGH (CVSS 7.5). As of this writing, there are no known public proof-of-concept exploits available. It is not currently listed on the CISA KEV catalog. The incomplete nature of the fix for CVE-2026-28476 suggests that attackers might be actively investigating this vulnerability.
Exploit Status
EPSS
0.04% (12% percentile)
CISA SSVC
The primary mitigation for CVE-2026-35629 is to immediately upgrade the openclaw package to version 2026.3.28 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing a Web Application Firewall (WAF) or proxy to filter outbound requests and block those targeting internal resources. Specifically, configure the WAF to deny requests with internal IP addresses or those attempting to access sensitive internal endpoints. Additionally, review and restrict the configured base URLs within the openclaw package to only allow trusted and necessary domains. After upgrading, confirm the fix by attempting to trigger the SSRF vulnerability with a known malicious URL and verifying that the request is blocked.
Update OpenClaw to version 2026.3.25 or higher to mitigate the server-side request forgery (SSRF) vulnerability. This update corrects unprotected fetch() calls in channel extensions, preventing unauthorized access to restricted resources.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-35629 is a HIGH severity Server-Side Request Forgery (SSRF) vulnerability in the openclaw Node.js package, allowing attackers to access internal resources.
Yes, if you are using openclaw versions 2026.3.24 or earlier, you are affected by this SSRF vulnerability.
Upgrade openclaw to version 2026.3.28 or later. Consider WAF rules to restrict outbound requests as a temporary workaround.
As of now, there are no confirmed reports of active exploitation, but the vulnerability is being actively investigated.
Refer to the openclaw project's repository and associated security advisories for the latest information: [https://github.com/openclaw/openclaw](https://github.com/openclaw/openclaw)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.