CVE-2026-27488

Name of the Vulnerable Software and Affected Versions OpenClaw versions 2026.2.17 and below

Description OpenClaw is a personal AI assistant. The cron webhook delivery in src/gateway/server-cron.ts uses the fetch() function directly, allowing webhook targets to access private, metadata, and internal endpoints without Server-Side Request Forgery (SSRF) policy checks. This could potentially allow unauthorized access to internal resources. Server-Side Request Forgery (SSRF) is a web security flaw that allows an attacker to cause the server to make HTTP requests to an arbitrary domain of the attacker's choosing.

Recommendations Versions prior to 2026.2.19 are affected. Update OpenClaw to version 2026.2.19 or later.