CVE-2026-6011

Source
https://cve.org/CVERecord?id=CVE-2026-6011
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-6011.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-6011
Aliases
Published
2026-04-10T03:45:14.380Z
Modified
2026-07-08T08:13:48.422757121Z
Severity
  • 2.9 (Low) CVSS_V4 - CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P CVSS Calculator
Summary
OpenClaw assertPublicHostname web-fetch.ts server-side request forgery
Details

A weakness has been identified in OpenClaw up to 2026.1.26. Affected by this issue is some unknown functionality of the file src/agents/tools/web-fetch.ts of the component assertPublicHostname Handler. Executing a manipulation can lead to server-side request forgery. The attack can be executed remotely. This attack is characterized by high complexity. The exploitation is known to be difficult. The exploit has been made available to the public and could be used for attacks. Upgrading to version 2026.1.29 can resolve this issue. This patch is called b623557a2ec7e271bda003eb3ac33fbb2e218505. Upgrading the affected component is advised.

Database specific
{
    "cwe_ids": [
        "CWE-918"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/6xxx/CVE-2026-6011.json",
    "unresolved_ranges": [
        {
            "source": "AFFECTED_FIELD",
            "extracted_events": [
                {
                    "introduced": "2026.1.0"
                },
                {
                    "last_affected": "2026.1.0"
                },
                {
                    "introduced": "2026.1.1"
                },
                {
                    "last_affected": "2026.1.1"
                },
                {
                    "introduced": "2026.1.2"
                },
                {
                    "last_affected": "2026.1.2"
                },
                {
                    "introduced": "2026.1.4"
                },
                {
                    "last_affected": "2026.1.4"
                },
                {
                    "introduced": "2026.1.6"
                },
                {
                    "last_affected": "2026.1.6"
                },
                {
                    "introduced": "2026.1.7"
                },
                {
                    "last_affected": "2026.1.7"
                },
                {
                    "introduced": "2026.1.17"
                },
                {
                    "last_affected": "2026.1.17"
                },
                {
                    "introduced": "2026.1.18"
                },
                {
                    "last_affected": "2026.1.18"
                },
                {
                    "introduced": "2026.1.19"
                },
                {
                    "last_affected": "2026.1.19"
                },
                {
                    "introduced": "2026.1.25"
                },
                {
                    "last_affected": "2026.1.25"
                },
                {
                    "introduced": "2026.1.26"
                },
                {
                    "last_affected": "2026.1.26"
                }
            ]
        }
    ],
    "cna_assigner": "VulDB"
}
References

Affected packages

Git / github.com/openclaw/openclaw

Affected ranges

Type
GIT
Repo
https://github.com/openclaw/openclaw
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Fixed
Database specific
{
    "source": [
        "CPE_RANGE",
        "REFERENCES"
    ],
    "cpe": "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "2026.1.29"
        }
    ]
}

Affected versions

2026.*
2026.1.10
2026.1.11
2026.1.12
2026.1.13
2026.1.14
2026.1.15
2026.1.16
2026.1.20
2026.1.21
2026.1.22
2026.1.23
2026.1.24
2026.1.3
2026.1.5
2026.1.8
2026.1.9
v0.*
v0.1.0
v0.1.1
v0.1.2
v0.1.3
v1.*
v1.0.4
v1.1.0
v1.2.0
v1.2.1
v1.2.2
v1.3.0
v2.*
v2.0.0-beta1
v2.0.0-beta2
v2.0.0-beta3
v2.0.0-beta4
v2.0.0-beta5
v2026.*
v2026.1.10
v2026.1.11
v2026.1.11-1
v2026.1.11-2
v2026.1.11-3
v2026.1.12
v2026.1.12-2
v2026.1.13
v2026.1.14-1
v2026.1.15
v2026.1.16-2
v2026.1.20
v2026.1.21
v2026.1.22
v2026.1.23
v2026.1.24
v2026.1.24-1
v2026.1.5
v2026.1.5-1
v2026.1.5-2
v2026.1.5-3
v2026.1.8
v2026.1.9

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-6011.json"