CVE-2026-43527

HIGH 7.7

OpenClaw < 2026.4.14 - Server-Side Request Forgery via Private Network Navigation

CVSS Score

7.7

EPSS Score

0.0%

EPSS Percentile

0th

OpenClaw before 2026.4.14 contains a server-side request forgery vulnerability in browser SSRF policy that allows private-network navigation by default. Attackers can exploit this misconfiguration to access internal services or metadata endpoints through browser-driven requests.

CWE	CWE-918 CWE-1188
Vendor	openclaw
Product	openclaw
Published	May 5, 2026

Stay Ahead of the Next One

Get instant alerts for openclaw openclaw

Be the first to know when new high vulnerabilities affecting openclaw openclaw are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

None

Availability

None

Affected Versions

OpenClaw / OpenClaw

0 < 2026.4.14

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/openclaw/openclaw/security/advisories/GHSA-53vx-pmqw-863c github.com: https://github.com/openclaw/openclaw/commit/024f4614a1a1831406e763adc40ef226e3d5e9ed github.com: https://github.com/openclaw/openclaw/commit/1dabfef28db523e7de81edeb3dd689e9171236a2 github.com: https://github.com/openclaw/openclaw/commit/213c36cf51121ef6c05cfccd78037371f968f31a github.com: https://github.com/openclaw/openclaw/commit/7eecfa411df3d12e6b810e6ca5df47254fc3db3f vulncheck.com: https://www.vulncheck.com/advisories/openclaw-server-side-request-forgery-via-private-network-navigation

Credits

🔍 dhyabi2