GHSA-rhfg-j8jq-7v2h

Suggest an improvement
Source
https://github.com/advisories/GHSA-rhfg-j8jq-7v2h
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-rhfg-j8jq-7v2h/GHSA-rhfg-j8jq-7v2h.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-rhfg-j8jq-7v2h
Aliases
  • CVE-2026-35629
Downstream
Published
2026-03-29T15:48:42Z
Modified
2026-04-10T20:34:59.028687Z
Summary
OpenClaw: SSRF via Unguarded Configured Base URLs in Multiple Channel Extensions (Incomplete Fix for CVE-2026-28476)
Details

Summary

SSRF via Unguarded Configured Base URLs in Multiple Channel Extensions (Incomplete Fix for CVE-2026-28476)

Affected Packages / Versions

  • Package: openclaw
  • Affected versions: <= 2026.3.24
  • First patched version: 2026.3.25
  • Latest published npm version at verification time: 2026.3.24

Details

Several channel extensions still used raw fetch() against configured base URLs without the SSRF guard that was added for CVE-2026-28476. Commit f92c92515bd439a71bd03eb1bc969c1964f17acf routes those outbound requests through fetchWithSsrFGuard so configured endpoints cannot be rebound to blocked internal destinations.

Verified vulnerable on tag v2026.3.24 and fixed on main by commit f92c92515bd439a71bd03eb1bc969c1964f17acf.

Fix Commit(s)

  • f92c92515bd439a71bd03eb1bc969c1964f17acf
Database specific
{
    "nvd_published_at": null,
    "severity": "HIGH",
    "cwe_ids": [
        "CWE-918"
    ],
    "github_reviewed_at": "2026-03-29T15:48:42Z",
    "github_reviewed": true
}
References

Affected packages

npm / openclaw

Package

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2026.3.28

Database specific

source
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-rhfg-j8jq-7v2h/GHSA-rhfg-j8jq-7v2h.json"