Plataforma
nodejs
Componente
openclaw
Corregido en
2026.2.15
2026.2.14
CVE-2026-26324 describes a Server-Side Request Forgery (SSRF) vulnerability in the OpenClaw Node.js package. This flaw allows attackers to bypass the SSRF protection mechanism by crafting malicious requests using full-form IPv4-mapped IPv6 literals. The vulnerability impacts versions of OpenClaw up to 2026.2.13, and a fix is planned in version 2026.2.14.
The SSRF vulnerability in OpenClaw allows an attacker to send requests to unintended internal or external resources. By bypassing the SSRF guard, attackers can potentially access sensitive data, metadata endpoints, or internal services that should be protected. Specifically, the use of IPv4-mapped IPv6 literals (e.g., 0:0:0:0:0:ffff:7f00:1 representing 127.0.0.1) circumvents the intended filtering logic. This could lead to unauthorized access to loopback addresses, private networks, or link-local metadata, potentially exposing sensitive information or enabling further exploitation within the internal network. While no immediate exploitation is reported, the ease of bypassing the SSRF protection makes this a significant risk.
This vulnerability was publicly disclosed on 2026-02-17. There is currently no indication of active exploitation campaigns targeting this specific vulnerability. The vulnerability is not listed on the CISA KEV catalog at the time of writing. The ease of bypassing the SSRF protection suggests a moderate risk of exploitation if left unaddressed, particularly in environments with exposed internal services.
Applications utilizing the OpenClaw Node.js package in production environments are at risk. Specifically, deployments that rely on OpenClaw for SSRF protection and expose internal services are particularly vulnerable. Developers using older versions of OpenClaw (<= 2026.2.13) should prioritize upgrading to the patched version.
• nodejs / server:
npm list openclaw• nodejs / server:
npm audit openclaw• generic web:
Review access logs for outbound requests containing IPv4-mapped IPv6 literals (e.g., 0:0:0:0:0:ffff:7f00:1).
• generic web:
Monitor application logs for unusual outbound requests to internal resources.
disclosure
Estado del Exploit
EPSS
0.02% (4% percentil)
CISA SSVC
Vector CVSS
The primary mitigation for CVE-2026-26324 is to upgrade to OpenClaw version 2026.2.14 or later, which includes the fix for the SSRF protection bypass. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) or reverse proxy with strict filtering rules to block requests containing IPv4-mapped IPv6 literals. Additionally, review and strengthen your internal network segmentation to limit the potential blast radius of a successful SSRF attack. Monitor your application logs for unusual outbound requests, particularly those originating from within your internal network. After upgrading, confirm the fix by attempting to send a request using an IPv4-mapped IPv6 literal to a known internal resource; the request should be blocked.
Actualice OpenClaw a la versión 2026.2.14 o superior. Esta versión corrige la vulnerabilidad SSRF que permite la elusión de la protección mediante literales IPv6 mapeados a IPv4.
Análisis de vulnerabilidades y alertas críticas directamente en tu correo.
CVE-2026-26324 is a Server-Side Request Forgery (SSRF) vulnerability in the OpenClaw Node.js package, allowing attackers to bypass SSRF protection using IPv4-mapped IPv6 literals.
Yes, if you are using OpenClaw versions 2026.2.13 or earlier, you are vulnerable to this SSRF bypass.
Upgrade to OpenClaw version 2026.2.14 or later to remediate the vulnerability. Consider WAF rules as a temporary workaround.
There is currently no confirmed active exploitation of CVE-2026-26324, but the ease of bypass suggests a potential risk.
Refer to the OpenClaw project's official repository and release notes for the advisory and details on the fix.
Sube tu archivo de dependencias y detecta esta y otras CVEs al instante.