CVE-2026-22181

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.3.2

Description OpenClaw versions prior to 2026.3.2 contain a DNS pinning bypass in strict URL fetch paths, allowing attackers to circumvent Server-Side Request Forgery (SSRF) protections when environment proxy variables are configured. When the HTTP PROXY, HTTPS PROXY, or ALL PROXY environment variables are present, attacker-influenced URLs can be routed through proxy behavior instead of the intended destination, potentially enabling access to internal targets reachable from the proxy environment. This occurs because the SSRF guard validates a destination during checks, but runtime connection routing can proceed through an environment proxy dispatcher, creating a gap between check-time resolution and connect-time routing.

Recommendations Versions prior to 2026.3.2 should be updated to version 2026.3.2 or later. As a temporary workaround, operators can clear proxy environment variables for OpenClaw runtime processes or disable web fetch and web search where untrusted URL input is possible.