CVE-2026-26324

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.2.14

Description The SSRF protection in OpenClaw could be bypassed using full-form IPv4-mapped IPv6 literals, such as 0:0:0:0:0:ffff:7f00:1 (which is 127.0.0.1). This bypass allows requests that should be blocked, including those to loopback, private networks, and link-local metadata, to pass the SSRF guard. The vulnerable component is the SSRF guard (src/infra/net/ssrf.ts). The issue is an SSRF protection bypass.

Recommendations Update OpenClaw to version 2026.2.14 or later.