Platform
nodejs
Component
openclaw
Opgelost in
2026.2.14
2026.2.14
CVE-2026-28476 describes a server-side request forgery (SSRF) vulnerability in OpenClaw, specifically within the optional Tlon (Urbit) extension. This flaw allows an attacker, under specific conditions, to manipulate the gateway into making HTTP requests to arbitrary destinations, including internal network addresses. The vulnerability impacts OpenClaw versions 0 through 2026.2.14, and a fix is available in version 2026.2.14.
The SSRF vulnerability arises from the Tlon (Urbit) extension's acceptance of a user-provided base URL for authentication. If an attacker can influence this configured Urbit URL, they can trick the OpenClaw gateway into sending HTTP requests to hosts of their choosing. This could lead to unauthorized access to internal services, data exfiltration, or even exploitation of other vulnerabilities within the internal network. The blast radius is limited to deployments utilizing the Tlon extension and where the attacker can control the Urbit URL configuration. Successful exploitation requires both the extension to be installed and configured, and the ability to manipulate the base URL used for authentication.
This vulnerability was publicly disclosed on March 5, 2026. There is no indication of active exploitation at this time, nor are there any publicly available proof-of-concept exploits. The vulnerability is not currently listed on the CISA KEV catalog. The SSRF nature of the vulnerability suggests a potentially low to medium probability of exploitation, depending on the prevalence of the Tlon extension and the security posture of the affected deployments.
Organizations deploying OpenClaw with the Tlon (Urbit) extension enabled are at risk. This includes those using OpenClaw for custom applications or integrations where the Urbit URL is not carefully controlled. Shared hosting environments where users can configure extensions pose a heightened risk.
• nodejs: Monitor OpenClaw logs for unusual outbound HTTP requests, particularly those originating from the Tlon (Urbit) extension. Use lsof or netstat to identify processes making connections to unexpected destinations.
lsof -i | grep claw• generic web: Examine access logs for requests to internal resources that should not be accessible from the outside. Check response headers for signs of SSRF exploitation.
grep "internal.domain.com" /var/log/nginx/access.logdisclosure
Exploit Status
EPSS
0.07% (22% percentiel)
CISA SSVC
CVSS-vector
The primary mitigation for CVE-2026-28476 is to upgrade OpenClaw to version 2026.2.14 or later, which includes the fix for this SSRF vulnerability. If an immediate upgrade is not feasible, consider disabling the Tlon (Urbit) extension entirely, as this eliminates the attack surface. As a temporary workaround, restrict network access from the OpenClaw gateway to only necessary external resources using firewall rules or a proxy server. Regularly review and validate the configuration of the Tlon extension to ensure that the base URL is not susceptible to manipulation.
Actualiseer OpenClaw naar versie 2026.2.14 of hoger. Deze versie corrigeert de Server-Side Request Forgery (SSRF) kwetsbaarheid in de Tlon Urbit extensie door de door de gebruiker opgegeven URLs voor authenticatie correct te valideren.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2026-28476 is a server-side request forgery vulnerability in OpenClaw's Tlon (Urbit) extension, allowing attackers to make HTTP requests to arbitrary destinations.
You are affected if you are using OpenClaw versions 0–2026.2.14 and have the Tlon (Urbit) extension installed and configured.
Upgrade OpenClaw to version 2026.2.14 or later. Alternatively, disable the Tlon (Urbit) extension if an upgrade is not immediately possible.
There is currently no evidence of active exploitation, and no public proof-of-concept exploits are available.
Refer to the OpenClaw project's official security advisories for the most up-to-date information and guidance.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.