PT-2026-26400 · Openclaw · Openclaw
Princeeismond-Dot
·
Publicado
2026-03-04
·
Atualizado
2026-03-20
·
CVE-2026-32019
CVSS v3.1
7.4
Alta
| Vetor | AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L |
Name of the Vulnerable Software and Affected Versions
OpenClaw versions prior to 2026.2.22
Description
The
isPrivateIpv4() function in OpenClaw contains incomplete IPv4 special-use range validation. This allows requests to RFC-reserved ranges to bypass SSRF policy checks. Attackers with network reachability to special-use IPv4 ranges can exploit the web fetch functionality to access blocked addresses, such as those within the 198.18.0.0/15 range and other non-global ranges. The issue stems from narrow IPv4 private-range checks that omitted multiple RFC special-use/non-global ranges. The web fetch API endpoint is affected. The isPrivateIpv4() function is vulnerable.Recommendations
Update to version 2026.2.22 or later.
Correção
SSRF
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Enumeração de Fraquezas
Identificadores relacionados
Produtos afetados
Openclaw