Openclaw · Openclaw · CVE-2026-32019
**Name of the Vulnerable Software and Affected Versions**
OpenClaw versions prior to 2026.2.22
**Description**
The `isPrivateIpv4()` function in OpenClaw contains incomplete IPv4 special-use range validation. This allows requests to RFC-reserved ranges to bypass SSRF policy checks. Attackers with network reachability to special-use IPv4 ranges can exploit the `web fetch` functionality to access blocked addresses, such as those within the 198.18.0.0/15 range and other non-global ranges. The issue stems from narrow IPv4 private-range checks that omitted multiple RFC special-use/non-global ranges. The `web fetch` API endpoint is affected. The `isPrivateIpv4()` function is vulnerable.
**Recommendations**
Update to version 2026.2.22 or later.