PT-2026-25409 · Npm · Openclaw
Published
2026-03-03
·
Updated
2026-03-03
CVSS v3.1
5.5
Medium
| Vector | AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L |
Summary
OpenClaw accepted
camera.snap / camera.clip node payload url fields and downloaded them on the gateway/agent host without binding downloads to the resolved node host.In OpenClaw's documented trust model, paired nodes are in the same operator trust boundary, so this is scoped as medium-severity hardening. A malicious or compromised paired node could still steer gateway-host fetches during camera URL retrieval.
Affected Packages / Versions
- Package:
openclaw(npm) - Affected versions:
>= 2026.2.13 <= 2026.3.1 - Latest vulnerable published version at time of update:
2026.3.1 - Patched versions:
>= 2026.3.2(released)
Technical Details
Vulnerable flows accepted URL payloads and downloaded directly from the provided URL:
src/cli/nodes-camera.ts(writeUrlToFile) fetched URL payloads without node-host binding.src/cli/nodes-cli/register.camera.tspassedcamera.snap/camera.clippayload URLs into that downloader.src/agents/tools/nodes-tool.tsdid the same forcamera snap/camera cliptool actions.
Impact
A malicious/compromised paired node could cause gateway-host URL fetches to off-node destinations reachable from the host network. This could be used for internal network probing/fetch pivots in deployments where paired nodes are not fully trusted.
Remediation
The fix introduces fail-closed node-host binding and guarded fetch for camera URL payload downloads:
- Require resolved node host metadata for URL payload downloads.
- Enforce hostname match between payload URL and resolved node host.
- Use SSRF-guarded fetch with redirect host/protocol checks.
- Apply the same enforcement across CLI and agent tool camera paths.
Fix Commit(s)
3bf19d6f40a0aaa55818b96eede3d05130c02533
Fix
SSRF
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Openclaw