CVE-2026-22181

OpenClaw versions prior to 2026.3.2 contain a DNS pinning bypass vulnerability in strict URL fetch paths that allows attackers to circumvent SSRF guards when environment proxy variables are configured. When HTTP_PROXY, HTTPS_PROXY, or ALL_PROXY environment variables are present, attacker-influenced URLs can be routed through proxy behavior instead of pinned-destination routing, enabling access to internal targets reachable from the proxy environment.

CVSS v3 7.6 HIGH

7.6^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 4.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact LOW

Availability Impact LOW

Scope UNCHANGED

References

Link	Resource
https://github.com/openclaw/openclaw/commit/345abf0b2e0f43b0f229e96f252ebf56f1e5549e	Broken Link
https://github.com/openclaw/openclaw/security/advisories/GHSA-8mvx-p2r9-r375	Mitigation Vendor Advisory
https://www.vulncheck.com/advisories/openclaw-dns-pinning-bypass-via-environment-proxy-configuration-in-web-fetch	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*

History

25 Mar 2026, 15:16

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~6.4~~	v2 : unknown v3 : 7.6

20 Mar 2026, 20:08

Type	Values Removed	Values Added
References	~~() https://github.com/openclaw/openclaw/commit/345abf0b2e0f43b0f229e96f252ebf56f1e5549e -~~	() https://github.com/openclaw/openclaw/commit/345abf0b2e0f43b0f229e96f252ebf56f1e5549e - Broken Link
References	~~() https://github.com/openclaw/openclaw/security/advisories/GHSA-8mvx-p2r9-r375 -~~	() https://github.com/openclaw/openclaw/security/advisories/GHSA-8mvx-p2r9-r375 - Mitigation, Vendor Advisory
References	~~() https://www.vulncheck.com/advisories/openclaw-dns-pinning-bypass-via-environment-proxy-configuration-in-web-fetch -~~	() https://www.vulncheck.com/advisories/openclaw-dns-pinning-bypass-via-environment-proxy-configuration-in-web-fetch - Third Party Advisory
First Time		Openclaw openclaw Openclaw
CPE		cpe:2.3:a:openclaw:openclaw::::::node.js::*

18 Mar 2026, 14:52

Type	Values Removed	Values Added
Summary		(es) Las versiones de OpenClaw anteriores a 2026.3.2 contienen una vulnerabilidad de omisión de fijación de DNS en rutas de obtención de URL estrictas que permite a los atacantes eludir las protecciones de SSRF cuando las variables de entorno de proxy están configuradas. Cuando las variables de entorno HTTP_PROXY, HTTPS_PROXY o ALL_PROXY están presentes, las URL influenciadas por el atacante pueden ser enrutadas a través del comportamiento del proxy en lugar del enrutamiento de destino fijado, lo que permite el acceso a objetivos internos accesibles desde el entorno del proxy.

18 Mar 2026, 02:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-18 02:16

Updated : 2026-03-25 15:16

NVD link : CVE-2026-22181

Mitre link : CVE-2026-22181

CVE.ORG link : CVE-2026-22181

JSON object : View

Products Affected

openclaw

openclaw

CWE

CWE-918

Server-Side Request Forgery (SSRF)

7.6 /10