CVE-2026-35629

HIGH SEVERITY

CVSS Score & Metrics

Base Score

7.4 / 10

Vector String

                                        CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L                                    

Vulnerability Description

OpenClaw before 2026.3.25 contains a server-side request forgery vulnerability in multiple channel extensions that fail to properly guard configured base URLs against SSRF attacks. Attackers can exploit unprotected fetch() calls against configured endpoints to rebind requests to blocked internal destinations and access restricted resources.

Vulnerability Details

Published Date

April 09, 2026

Last Modified

April 15, 2026

CWE ID

CWE-918

Source

NVD

Vendor

OpenClaw

Product

OpenClaw

External References

https://github.com/openclaw/openclaw/commit/f92c92515bd439a71bd03eb1bc969c1964f17acf
https://github.com/openclaw/openclaw/security/advisories/GHSA-rhfg-j8jq-7v2h
https://www.vulncheck.com/advisories/openclaw-server-side-request-forgery-via-unguarded-configured-base-urls-in-channel-extensions

CVE-2026-35629

CVSS Score & Metrics

Vulnerability Description

Vulnerability Details

External References

Discussion (0)

Add Comment