CVE-2026-28476

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.2.14

Description The optional Tlon (Urbit) extension does not properly validate user-provided base URLs for authentication, leading to a server-side request forgery (SSRF). This allows attackers who can influence the configured Urbit URL to make HTTP requests to arbitrary hosts, including internal addresses. This impacts deployments that have installed and configured the Tlon (Urbit) extension and where an attacker can influence the configured Urbit URL. Deployments that do not use the Tlon extension, or where untrusted users cannot change the Urbit URL, are not impacted. The gateway could be induced to make HTTP requests to attacker-chosen hosts.

Recommendations Versions prior to 2026.2.14 should be updated to version 2026.2.14 or later.