CVE-2026-6011

A weakness has been identified in OpenClaw up to 2026.1.26. Affected by this issue is some unknown functionality of the file src/agents/tools/web-fetch.ts of the component assertPublicHostname Handler. Executing a manipulation can lead to server-side request forgery. The attack can be executed remotely. This attack is characterized by high complexity. The exploitation is known to be difficult. The exploit has been made available to the public and could be used for attacks. Upgrading to version 2026.1.29 can resolve this issue. This patch is called b623557a2ec7e271bda003eb3ac33fbb2e218505. Upgrading the affected component is advised.

CVSS v3 5.6 MEDIUM
CVSS v2.0 5.1 MEDIUM

5.6^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.2 / Impact : 3.4

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact LOW

Scope UNCHANGED

5.1^/10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:H/Au:N/C:P/I:P/A:P

Exploitability : 4.9 / Impact : 6.4

Access Vector NETWORK

Access Complexity HIGH

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
https://github.com/openclaw/openclaw/	Product
https://github.com/openclaw/openclaw/commit/b623557a2ec7e271bda003eb3ac33fbb2e218505#diff-06572a96a58dc510037d5efa622f9bec8519bc1beab13c9f251e97e657a9d4edR44	Patch
https://github.com/openclaw/openclaw/releases/tag/v2026.1.29	Release Notes
https://github.com/zast-ai/vulnerability-reports/blob/main/openclaw/ssrf.md	Exploit Mitigation Patch Third Party Advisory
https://vuldb.com/submit/795224	Patch Third Party Advisory VDB Entry
https://vuldb.com/vuln/356567	Third Party Advisory VDB Entry
https://vuldb.com/vuln/356567/cti	Permissions Required VDB Entry

Configurations

Configuration 1 (hide)

cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*

History

30 Apr 2026, 14:22

Type	Values Removed	Values Added
References	~~() https://github.com/openclaw/openclaw/ -~~	() https://github.com/openclaw/openclaw/ - Product
References	~~() https://github.com/openclaw/openclaw/commit/b623557a2ec7e271bda003eb3ac33fbb2e218505#diff-06572a96a58dc510037d5efa622f9bec8519bc1beab13c9f251e97e657a9d4edR44 -~~	() https://github.com/openclaw/openclaw/commit/b623557a2ec7e271bda003eb3ac33fbb2e218505#diff-06572a96a58dc510037d5efa622f9bec8519bc1beab13c9f251e97e657a9d4edR44 - Patch
References	~~() https://github.com/openclaw/openclaw/releases/tag/v2026.1.29 -~~	() https://github.com/openclaw/openclaw/releases/tag/v2026.1.29 - Release Notes
References	~~() https://github.com/zast-ai/vulnerability-reports/blob/main/openclaw/ssrf.md -~~	() https://github.com/zast-ai/vulnerability-reports/blob/main/openclaw/ssrf.md - Exploit, Mitigation, Patch, Third Party Advisory
References	~~() https://vuldb.com/submit/795224 -~~	() https://vuldb.com/submit/795224 - Patch, Third Party Advisory, VDB Entry
References	~~() https://vuldb.com/vuln/356567 -~~	() https://vuldb.com/vuln/356567 - Third Party Advisory, VDB Entry
References	~~() https://vuldb.com/vuln/356567/cti -~~	() https://vuldb.com/vuln/356567/cti - Permissions Required, VDB Entry
First Time		Openclaw openclaw Openclaw
CPE		cpe:2.3:a:openclaw:openclaw::::::node.js::*

10 Apr 2026, 05:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-04-10 05:16

Updated : 2026-04-30 14:22

NVD link : CVE-2026-6011

Mitre link : CVE-2026-6011

CVE.ORG link : CVE-2026-6011

JSON object : View

Products Affected

openclaw

openclaw

CWE

CWE-918

Server-Side Request Forgery (SSRF)

5.6 /10