High severity7.4NVD Advisory· Published Mar 19, 2026· Updated Apr 20, 2026
CVE-2026-32019
CVE-2026-32019
Description
OpenClaw versions prior to 2026.2.22 contain incomplete IPv4 special-use range validation in the isPrivateIpv4() function, allowing requests to RFC-reserved ranges to bypass SSRF policy checks. Attackers with network reachability to special-use IPv4 ranges can exploit web_fetch functionality to access blocked addresses such as 198.18.0.0/15 and other non-global ranges.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
openclawnpm | < 2026.2.22 | 2026.2.22 |
Affected products
2Patches
Vulnerability mechanics
References
8- github.com/openclaw/openclaw/commit/333fbb86347998526dd514290adfd5f727caa6d9nvdPatchWEB
- github.com/openclaw/openclaw/commit/44dfbd23df453e51b71ef79a148c28c53e89168cnvdPatchWEB
- github.com/openclaw/openclaw/commit/71bd15bb4294d3d1b54386064d69cd0f5f731bd8nvdPatchWEB
- github.com/openclaw/openclaw/commit/f14ebd743cfc73f667fae80af70043d0ab1f88bdnvdPatchWEB
- github.com/advisories/GHSA-4rqq-w8v4-7p47ghsaADVISORY
- github.com/openclaw/openclaw/security/advisories/GHSA-4rqq-w8v4-7p47nvdVendor AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2026-32019ghsaADVISORY
- www.vulncheck.com/advisories/openclaw-incomplete-ipv4-special-use-range-blocking-in-ssrf-guardnvdThird Party AdvisoryWEB
News mentions
0No linked articles in our index yet.