CVE-2026-26324

Published: Feb 19, 2026Modified: Feb 23, 2026

7.5

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Exploitability: 3.9 / Impact: 3.6

Source: security-advisories@github.com (Secondary)

Description

OpenClaw is a personal AI assistant. Prior to version 2026.2.14, OpenClaw's SSRF protection could be bypassed using full-form IPv4-mapped IPv6 literals such as `0:0:0:0:0:ffff:7f00:1` (which is `127.0.0.1`). This could allow requests that should be blocked (loopback / private network / link-local metadata) to pass the SSRF guard. Version 2026.2.14 patches the issue.

Affected (1)

Products: Openclaw: Openclaw

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Openclaw Openclaw	Before 2026.2.14

Related CWEs

Server-Side Request Forgery (SSRF)

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

References (3)

https://github.com/openclaw/openclaw/commit/c0c0e0f9aecb913e738742f73e091f2f72d39a19

Source: security-advisories@github.com

Patch

https://github.com/openclaw/openclaw/releases/tag/v2026.2.14

Source: security-advisories@github.com

ProductRelease Notes

https://github.com/openclaw/openclaw/security/advisories/GHSA-jrvc-8ff5-2f9f

Source: security-advisories@github.com

Vendor Advisory

Timeline

No history available yet.