Plataforma
nodejs
Componente
openclaw
Corregido en
2026.2.22
2026.2.22
CVE-2026-32019 describes a Server-Side Request Forgery (SSRF) vulnerability discovered in the OpenClaw Node.js package. This flaw allows attackers to bypass the intended SSRF protection mechanisms and potentially access internal resources or services within special-use IPv4 ranges. Versions of OpenClaw prior to 2026.2.22 are affected, and a patch has been released to address the issue.
The SSRF vulnerability in OpenClaw arises from a flaw in the isPrivateIpv4() function within the bundled SSRF guard code. This function incorrectly identified several IPv4 special-use and non-global ranges, allowing webfetch to target them despite the SSRF policy. Successful exploitation requires the attacker to have network reachability to these ranges and craft a request path that triggers the webfetch URL fetching functionality. While the severity is rated as HIGH, the exploitation is somewhat constrained by these requirements, making it less likely to be a widespread, easily exploitable issue.
CVE-2026-32019 was publicly disclosed on 2026-03-19. There is no indication of active exploitation campaigns or public proof-of-concept (POC) code available at this time. The vulnerability is not currently listed on the CISA KEV catalog. The EPSS score is likely to be low given the lack of public exploits and the specific network reachability requirement for exploitation.
Applications using the OpenClaw Node.js package in their backend infrastructure are at risk. This includes projects that rely on OpenClaw for web scraping, data extraction, or other URL fetching tasks. Specifically, deployments with relaxed network security policies or those that expose internal services accessible via HTTP/HTTPS are more vulnerable.
• nodejs / supply-chain:
npm list openclaw• nodejs / supply-chain:
npm audit openclaw• generic web: Inspect network traffic for requests to special-use IPv4 ranges (e.g., 10.0.0.0/8, 127.0.0.0/8, 169.254.0.0/16, 192.0.0.0/24, 192.168.0.0/16) originating from your application.
discovery
disclosure
patch
Estado del Exploit
EPSS
0.05% (15% percentil)
CISA SSVC
Vector CVSS
The primary mitigation for CVE-2026-32019 is to upgrade the OpenClaw package to version 2026.2.22 or later. This patched version includes a corrected isPrivateIpv4() function that accurately blocks the vulnerable IPv4 ranges. If an immediate upgrade is not feasible due to compatibility concerns or breaking changes, consider implementing a Web Application Firewall (WAF) rule to block requests to known special-use IPv4 ranges. Additionally, carefully review and restrict the allowed domains and protocols for web_fetch to minimize the potential attack surface. After upgrading, confirm the fix by attempting to access a known special-use IPv4 address through the OpenClaw package and verifying that the request is blocked.
Actualice la biblioteca OpenClaw a la versión 2026.2.22 o posterior. Esta versión corrige la validación incompleta de rangos IPv4 especiales, previniendo ataques SSRF que podrían acceder a direcciones bloqueadas.
Análisis de vulnerabilidades y alertas críticas directamente en tu correo.
CVE-2026-32019 is a HIGH severity SSRF vulnerability affecting the OpenClaw Node.js package, allowing attackers to bypass SSRF policies and potentially access internal resources.
You are affected if you are using OpenClaw versions 2026.2.21-2 or earlier. Check your project dependencies to determine if you are using a vulnerable version.
Upgrade the OpenClaw package to version 2026.2.22 or later. Consider WAF rules as a temporary workaround if immediate upgrade is not possible.
There is currently no evidence of active exploitation or public proof-of-concept code available for CVE-2026-32019.
Refer to the OpenClaw project's official advisory for detailed information and updates: [https://github.com/openclaw/openclaw/security/advisories/GHSA-xxxx-xxxx-xxxx](replace with actual advisory link)
Sube tu archivo de dependencias y detecta esta y otras CVEs al instante.