Dhyabi2

**Name of the Vulnerable Software and Affected Versions** OpenClaw versions prior to 2026.4.14 **Description** A server-side request forgery (SSRF) issue exists in the browser SSRF policy that allows private-network navigation by default. This misconfiguration enables attackers to access internal services or metadata endpoints through browser-driven requests. The issue stems from the browser SSRF protection allowing private-network navigation in paths where restrictive behavior was expected. **Recommendations** Update to version 2026.4.14 or newer.

**Name of the Vulnerable Software and Affected Versions** OpenClaw versions prior to 2026.4.10 **Description** A server-side request forgery issue exists in the browser navigation policy. This allows attackers to bypass hostname validation using DNS rebinding attacks, which involve exploiting inconsistent hostname resolution between the validation phase and the actual network request. Consequently, attackers can pivot to internal resources by using URLs with hostnames that are not on the allowlist. **Recommendations** Update to version 2026.4.10.

**Name of the Vulnerable Software and Affected Versions** OpenClaw versions prior to 2026.4.15 **Description** An authentication bypass exists in the Feishu webhook and card-action validation. When the `encryptKey` configuration is missing or callback tokens are blank, the system fails open rather than rejecting requests. This allows unauthenticated requests to reach command dispatch by bypassing signature verification and replay protection, which can lead to the execution of arbitrary commands. **Recommendations** Update to version 2026.4.15 or later.