CVE-2026-28476
Published: 05 March 2026
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2026-28476 is a server-side request forgery (SSRF) vulnerability, mapped to CWE-918, affecting OpenClaw versions prior to 2026.2.14. The flaw exists in the optional Tlon Urbit extension, which accepts user-provided base URLs for authentication without proper validation, published on 2026-03-05 with a CVSS v3.1 base score of 8.3 (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L).
Attackers who can influence the configured Urbit URL can exploit this vulnerability to induce the OpenClaw gateway to issue HTTP requests to arbitrary hosts, including internal addresses. Exploitation requires no privileges or user interaction and can be performed over the network with low complexity, potentially enabling access to restricted resources through the gateway's requests.
Advisories recommend upgrading to OpenClaw version 2026.2.14 or later to mitigate the issue. Key references include the GitHub security advisory (GHSA-pg2v-8xwh-qhcc), the patching commit (bfa7d21e997baa8e3437657d59b1e296815cc1b1), and the VulnCheck advisory detailing the SSRF in the Tlon extension authentication.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
SSRF vulnerability in public-facing OpenClaw gateway (AV:N/AC:L/PR:N) directly enables exploitation of a public-facing application.