PT-2026-25120 · Npm · Openclaw

Publicado

2026-03-02

·

Atualizado

2026-03-02

CVSS v4.0

8.7

Alta

VetorAV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Summary

Gemini web search citation redirect resolution used a private-network-allowing SSRF policy. A citation URL redirect could target loopback/private/internal destinations and be fetched by the gateway.

Impact

An attacker who can influence citation redirect targets could trigger internal-network requests from the OpenClaw host.

Fix

Citation redirect resolution now uses strict/default SSRF policy (no private-network override), blocking localhost/private/internal redirect targets.

Affected and Patched Versions

  • Affected: <= 2026.2.26
  • Patched: 2026.3.1

Correção

SSRF

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-918

Identificadores relacionados

GHSA-G99V-8HWM-G76G

Produtos afetados

Openclaw