Plataforma
nodejs
Componente
openclaw
Corregido en
2026.2.14
2026.2.14
CVE-2026-28476 describes a server-side request forgery (SSRF) vulnerability in OpenClaw, specifically within the optional Tlon (Urbit) extension. This flaw allows an attacker, under specific conditions, to manipulate the gateway into making HTTP requests to arbitrary destinations, including internal network addresses. The vulnerability impacts OpenClaw versions 0 through 2026.2.14, and a fix is available in version 2026.2.14.
The SSRF vulnerability arises from the Tlon (Urbit) extension's acceptance of a user-provided base URL for authentication. If an attacker can influence this configured Urbit URL, they can trick the OpenClaw gateway into sending HTTP requests to hosts of their choosing. This could lead to unauthorized access to internal services, data exfiltration, or even exploitation of other vulnerabilities within the internal network. The blast radius is limited to deployments utilizing the Tlon extension and where the attacker can control the Urbit URL configuration. Successful exploitation requires both the extension to be installed and configured, and the ability to manipulate the base URL used for authentication.
This vulnerability was publicly disclosed on March 5, 2026. There is no indication of active exploitation at this time, nor are there any publicly available proof-of-concept exploits. The vulnerability is not currently listed on the CISA KEV catalog. The SSRF nature of the vulnerability suggests a potentially low to medium probability of exploitation, depending on the prevalence of the Tlon extension and the security posture of the affected deployments.
Organizations deploying OpenClaw with the Tlon (Urbit) extension enabled are at risk. This includes those using OpenClaw for custom applications or integrations where the Urbit URL is not carefully controlled. Shared hosting environments where users can configure extensions pose a heightened risk.
• nodejs: Monitor OpenClaw logs for unusual outbound HTTP requests, particularly those originating from the Tlon (Urbit) extension. Use lsof or netstat to identify processes making connections to unexpected destinations.
lsof -i | grep claw• generic web: Examine access logs for requests to internal resources that should not be accessible from the outside. Check response headers for signs of SSRF exploitation.
grep "internal.domain.com" /var/log/nginx/access.logdisclosure
Estado del Exploit
EPSS
0.07% (22% percentil)
CISA SSVC
Vector CVSS
The primary mitigation for CVE-2026-28476 is to upgrade OpenClaw to version 2026.2.14 or later, which includes the fix for this SSRF vulnerability. If an immediate upgrade is not feasible, consider disabling the Tlon (Urbit) extension entirely, as this eliminates the attack surface. As a temporary workaround, restrict network access from the OpenClaw gateway to only necessary external resources using firewall rules or a proxy server. Regularly review and validate the configuration of the Tlon extension to ensure that the base URL is not susceptible to manipulation.
Actualice OpenClaw a la versión 2026.2.14 o posterior. Esta versión corrige la vulnerabilidad de Server-Side Request Forgery (SSRF) en la extensión Tlon Urbit al validar correctamente las URLs proporcionadas por el usuario para la autenticación.
Análisis de vulnerabilidades y alertas críticas directamente en tu correo.
CVE-2026-28476 is a server-side request forgery vulnerability in OpenClaw's Tlon (Urbit) extension, allowing attackers to make HTTP requests to arbitrary destinations.
You are affected if you are using OpenClaw versions 0–2026.2.14 and have the Tlon (Urbit) extension installed and configured.
Upgrade OpenClaw to version 2026.2.14 or later. Alternatively, disable the Tlon (Urbit) extension if an upgrade is not immediately possible.
There is currently no evidence of active exploitation, and no public proof-of-concept exploits are available.
Refer to the OpenClaw project's official security advisories for the most up-to-date information and guidance.
Sube tu archivo de dependencias y detecta esta y otras CVEs al instante.