GHSA-pg2v-8xwh-qhcc
Suggest an improvement- Source
- https://github.com/advisories/GHSA-pg2v-8xwh-qhcc
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-pg2v-8xwh-qhcc/GHSA-pg2v-8xwh-qhcc.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-pg2v-8xwh-qhcc
- Aliases
- Published
- 2026-02-18T00:55:00Z
- Modified
- 2026-05-05T15:56:02.684379Z
- Severity
-
- 8.3 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L CVSS Calculator
- 6.3 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L CVSS Calculator
- Summary
- OpenClaw affected by SSRF in optional Tlon (Urbit) extension authentication
- Details
-
Summary
The optional Tlon (Urbit) extension previously accepted a user-provided base URL for authentication and used it to construct an outbound HTTP request, enabling server-side request forgery (SSRF) in affected deployments.
Impact
This only affects deployments that have installed and configured the Tlon (Urbit) extension, and where an attacker can influence the configured Urbit URL. Under those conditions, the gateway could be induced to make HTTP requests to attacker-chosen hosts (including internal addresses).
Deployments that do not use the Tlon extension, or where untrusted users cannot change the Urbit URL, are not impacted.
Affected Packages / Versions
- Package:
openclaw(npm) - Affected versions:
<= 2026.2.13
Fixed Versions
2026.2.14(planned next release)
Fix Commit(s)
bfa7d21e997baa8e3437657d59b1e296815cc1b1
Details
Urbit authentication now validates and normalizes the base URL and uses an SSRF guard that blocks private/internal hosts by default (opt-in:
channels.tlon.allowPrivateNetwork).Release Process Note
This advisory is pre-populated with the planned patched version (
2026.2.14). Afteropenclaw@2026.2.14is published to npm, publish this advisory without further edits.Thanks @p80n-sec for reporting.
- Package:
- Database specific
{ "severity": "MODERATE", "cwe_ids": [ "CWE-918" ], "github_reviewed": true, "github_reviewed_at": "2026-02-18T00:55:00Z", "nvd_published_at": "2026-03-05T22:16:21Z" }- References
-
- https://github.com/openclaw/openclaw/security/advisories/GHSA-pg2v-8xwh-qhcc
- https://nvd.nist.gov/vuln/detail/CVE-2026-28476
- https://github.com/openclaw/openclaw/commit/bfa7d21e997baa8e3437657d59b1e296815cc1b1
- https://github.com/openclaw/openclaw
- https://github.com/openclaw/openclaw/releases/tag/v2026.2.14
- https://www.vulncheck.com/advisories/openclaw-server-side-request-forgery-in-tlon-extension-authentication
Affected packages
npm / openclaw
Package
- Name
- openclaw
- View open source insights on deps.dev
- Purl
- pkg:npm/openclaw