Server-side Request Forgery (SSRF) Affecting openclaw package, versions <2026.4.19-beta.1
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsSnyk Learn
Learn about Server-side Request Forgery (SSRF) vulnerabilities in an interactive lesson.
Start learning- Snyk IDSNYK-JS-OPENCLAW-16298043
- published26 Apr 2026
- disclosed25 Apr 2026
- creditUnknown
Introduced: 25 Apr 2026
New CVE NOT AVAILABLE CWE-918 (opens in a new tab)How to fix?
Upgrade openclaw to version 2026.4.19-beta.1 or higher.
Overview
openclaw is a 🦞 OpenClaw — Personal AI Assistant
Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) in the browser profile creation process. An attacker can cause unauthorized requests to internal network resources by storing a profile with a cdpUrl pointing to a private-network or metadata endpoint, which may later be accessed during normal profile status checks. This is only exploitable if strict-mode SSRF protections are enabled and private-network CDP targets are explicitly disabled.