SSRF via Unguarded Configured Base URLs in Multiple Channel Extensions (Incomplete Fix for CVE-2026-28476)
openclaw<= 2026.3.242026.3.252026.3.24Several channel extensions still used raw fetch() against configured base URLs without the SSRF guard that was added for CVE-2026-28476. Commit f92c92515bd439a71bd03eb1bc969c1964f17acf routes those outbound requests through fetchWithSsrFGuard so configured endpoints cannot be rebound to blocked internal destinations.
Verified vulnerable on tag v2026.3.24 and fixed on main by commit f92c92515bd439a71bd03eb1bc969c1964f17acf.
f92c92515bd439a71bd03eb1bc969c1964f17acf{
"nvd_published_at": null,
"severity": "HIGH",
"cwe_ids": [
"CWE-918"
],
"github_reviewed_at": "2026-03-29T15:48:42Z",
"github_reviewed": true
}