High severity7.4NVD Advisory· Published Apr 9, 2026· Updated Apr 15, 2026
CVE-2026-35629
CVE-2026-35629
Description
OpenClaw before 2026.3.25 contains a server-side request forgery vulnerability in multiple channel extensions that fail to properly guard configured base URLs against SSRF attacks. Attackers can exploit unprotected fetch() calls against configured endpoints to rebind requests to blocked internal destinations and access restricted resources.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
openclawnpm | < 2026.3.28 | 2026.3.28 |
Affected products
2Patches
Vulnerability mechanics
References
6- github.com/openclaw/openclaw/commit/f92c92515bd439a71bd03eb1bc969c1964f17acfnvdPatchWEB
- github.com/advisories/GHSA-pg2v-8xwh-qhccghsaADVISORY
- github.com/advisories/GHSA-rhfg-j8jq-7v2hghsaADVISORY
- github.com/openclaw/openclaw/security/advisories/GHSA-rhfg-j8jq-7v2hnvdVendor AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2026-35629ghsaADVISORY
- www.vulncheck.com/advisories/openclaw-server-side-request-forgery-via-unguarded-configured-base-urls-in-channel-extensionsnvdThird Party AdvisoryWEB
News mentions
0No linked articles in our index yet.