CVE-2026-27488

UNKNOWN 0.0

OpenClaw hardened cron webhook delivery against SSRF

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

OpenClaw is a personal AI assistant. In versions 2026.2.17 and below, Cron webhook delivery in src/gateway/server-cron.ts uses fetch() directly, so webhook targets can reach private/metadata/internal endpoints without SSRF policy checks. This issue was fixed in version 2026.2.19.

CWE	CWE-918
Vendor	openclaw
Product	openclaw
Published	Feb 21, 2026
Last Updated	Feb 24, 2026

Stay Ahead of the Next One

Get instant alerts for openclaw openclaw

Be the first to know when new unknown vulnerabilities affecting openclaw openclaw are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

openclaw / openclaw

< 2026.2.19

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/openclaw/openclaw/security/advisories/GHSA-w45g-5746-x9fp github.com: https://github.com/openclaw/openclaw/commit/99db4d13e5c139883ef0def9ff963e9273179655 github.com: https://github.com/openclaw/openclaw/releases/tag/v2026.2.19