CVE-2026-28467

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.2.2

Description The software contains a server-side request forgery issue in attachment and media URL handling. This allows remote attackers to retrieve data from arbitrary HTTP(S) URLs. An attacker who can control media URLs through mechanisms like sendAttachment or auto-reply features can trigger SSRF to internal resources and potentially exfiltrate the fetched response data as attachments. The issue stems from a raw fetch(url) call without SSRF protections in affected versions. Starting with version 2026.2.2, remote media fetching includes SSRF checks, such as blocking private, loopback, and link-local addresses, DNS pinning, and redirect handling. The vulnerable component is the remote media fetching functionality.

Recommendations Upgrade to OpenClaw version 2026.2.2 or later.