CVE-2026-26324

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2026-26324
OpenClaw is a personal AI assistant. Prior to version 2026.2.14, OpenClaw's SSRF protection could be bypassed using full-form IPv4-mapped IPv6 literals such as `0:0:0:0:0:ffff:7f00:1` (which is `127.0.0.1`). This could allow requests that should be blocked (loopback / private network / link-local metadata) to pass the SSRF guard. Version 2026.2.14 patches the issue.

7.5 /10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References
Link Resource
https://github.com/openclaw/openclaw/commit/c0c0e0f9aecb913e738742f73e091f2f72d39a19 Patch
https://github.com/openclaw/openclaw/releases/tag/v2026.2.14 Product Release Notes
https://github.com/openclaw/openclaw/security/advisories/GHSA-jrvc-8ff5-2f9f Vendor Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*
History

23 Feb 2026, 18:13

Type Values Removed Values Added
Summary
  • (es) OpenClaw es un asistente personal de IA. Antes de la versión 2026.2.14, la protección SSRF de OpenClaw podía ser eludida utilizando literales IPv6 mapeados a IPv4 en formato completo, como '0:0:0:0:0:ffff:7f00:1' (que es '127.0.0.1'). Esto podría permitir que solicitudes que deberían ser bloqueadas (metadatos de bucle invertido / red privada / enlace local) pasaran la protección SSRF. La versión 2026.2.14 corrige el problema.
CPE cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*
First Time Openclaw openclaw
Openclaw
References () https://github.com/openclaw/openclaw/commit/c0c0e0f9aecb913e738742f73e091f2f72d39a19 - () https://github.com/openclaw/openclaw/commit/c0c0e0f9aecb913e738742f73e091f2f72d39a19 - Patch
References () https://github.com/openclaw/openclaw/releases/tag/v2026.2.14 - () https://github.com/openclaw/openclaw/releases/tag/v2026.2.14 - Product, Release Notes
References () https://github.com/openclaw/openclaw/security/advisories/GHSA-jrvc-8ff5-2f9f - () https://github.com/openclaw/openclaw/security/advisories/GHSA-jrvc-8ff5-2f9f - Vendor Advisory

19 Feb 2026, 23:16

Type Values Removed Values Added
New CVE
Information

Published : 2026-02-19 23:16

Updated : 2026-02-23 18:13

NVD link : CVE-2026-26324

Mitre link : CVE-2026-26324

CVE.ORG link : CVE-2026-26324

JSON object : View

Products Affected

openclaw

  • openclaw
CWE
CWE-918

Server-Side Request Forgery (SSRF)